The MS Office applications are complex and have grown over many years. In particular, some older features are no longer desired in a professional environment or may even pose a security risk. Microsoft therefore provides a security baseline that can reduce the attack surface via GPOs.

Microsoft updates the security baseline for Windows 10 with every feature update of the OS. Companies are encouraged to harden their PCs against threats by applying this baseline. For Office, the need for such measures is no less important, as the applications still contain many old and vulnerable technologies for compatibility reasons.

Support of Office versions is unclear

Due to the different editions and licensing options, managing Office using security baselines is not as easy as it is with Windows. For example, Microsoft 365 business applications cannot be managed via group policies at all.

Here, you can at least try to avert threats from macros by setting the relevant registry keys via group policy preferences.

In addition, the Office applications you get from the subscriptions are updated every six months (SAC), while the 2016 or 2019 versions from the Long-Term Servicing Channel (LTSC) don't receive any new features.

However, the security baseline always refers to one of the latest SAC releases (currently to Microsoft Office 365 ProPlus, which is now called Microsoft 365 Apps for Enterprise). However, the documentation does not provide any information about the settings that are also supported in Office 2016 or 2019.

In fact, the updates for Microsoft 365 hardly bring any new security-relevant GPO settings, so that the baseline essentially fulfills its purpose everywhere. However, where such changes do exist, such as the most recently introduced support for "Block execution of macros in Office files from the Internet" in Access, they have no effect on older versions.

ADMX templates for all Office versions

These inconsistencies continue with the ADMX templates for Office, which of course must be installed as a requirement for the baseline. The major version of Office has not changed internally since 2016, so existing GPOs will continue to work for 2019 and 365.

The GPO editor does not indicate that this setting requires access from the M365 subscription

The GPO editor does not indicate that this setting requires access from the M365 subscription

While new settings are continually being added, they apparently do not have any effect on the older versions. You can't tell which setting is supported by which version of Office from the GPO editor, because it only shows the supported version of Windows, not Office.

Content of the Security Baseline

The current security baseline for Office is included in the Security Compliance Toolkit. Like the one for Windows, it comprises a backup of the sample GPOs, GPO reports in HTML format showing the configured settings, PowerShell scripts for import, and documentation (Word and Excel files).

Directory structure of the security baseline for Microsoft Office

Directory structure of the security baseline for Microsoft Office

In addition, there is an ADMX template for Windows and Office security settings in the Template directory, which is required for the GPO MSFT Office 365 ProPlus 1908 – Computer. Therefore, you should copy it together with the English language file into the local directory PolicyDefinitions or into the central store for group policies.

Settings in five GPOs

Once these preparations have been made, you can consider which baseline settings to apply to your environment. They are distributed among five GPOs, whereby all those that will probably not have an adverse impact on functionality or usability are located in MSFT Office 365 ProPlus 1908 - Computer or User.

Most settings are configured by the baseline in the Users branch

Most settings are configured by the baseline in the Users branch

Three other GPOs are responsible for allowing only signed macros to run, disabling DDE for Excel, and blocking old file formats. If companies still use many macros that were developed in-house but haven't been signed, then you should not apply the corresponding group policy object.

The same is true for old binary formats such as .doc, .xls or .ppt. According to Microsoft, their complexity makes them not only more vulnerable to attack, but also more dangerous because of the embedded macros. However, if you need these file formats for data exchange, for example, then you must also do without the corresponding GPO.

Importing the baseline

The easiest way to acquire the settings recommended by Microsoft is to import the supplied GPO backups into Group Policy Management. To do this, first create an empty GPO to receive the settings in the Group Policy Objects section. It makes sense to keep the name from the baseline.

To display the names of the GPOs before the import, you can run the following PowerShell script from the root directory of the unpacked ZIP archive:

.\\Scripts\\Tools\\MapGuidsToGpoNames.ps1 $PWD | Format-Table -AutoSize
Displaying the names of the baseline GPOs with PowerShell

Displaying the names of the baseline GPOs with PowerShell

Then open the context menu of the new GPO and select Import Settings. The following wizard first offers to back up the GPO, but this is not necessary in this case.

Start the wizard for importing the baseline in Group Policy Management

Start the wizard for importing the baseline in Group Policy Management

Then select the GPOs directory from the baseline, and you will get a list of all objects saved there. Select the object whose settings you want to import.

Importing the GPO with settings for computers

Importing the GPO with settings for computers

Repeat this process for the other GPOs. These will not be linked to any domain or OU, so you can check their settings again before assigning them to specific users or PCs.


In addition to a security baseline for the operating system, Microsoft also offers one for Office. Its use should definitely be considered, as these applications are among the preferred targets of attack, along with the web browser and the OS. Their numerous legacy technologies pose a particular threat, and they can be largely deactivated via the recommended settings.

Subscribe to 4sysops newsletter!

Due to the large number of Office variants and insufficient documentation, it is not always clear which setting applies to which version. However, the vast majority of group policies have secured all Office packages since 2016.

1 Comment
  1. Avatar
    Michael 7 months ago

    where can I actually download older baselines e.g. Office 2016? They are no longer included in the current toolkit. Thanks a lot

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account