Security baseline for Microsoft 365 Apps for enterprise, v2112

Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2112. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate.

This baseline builds on the previous Office baseline we released April 2021. The highlights of this baseline include:

• Excel policy name change to "Macro Notification Settings" from "VBA Macro Notification Settings". This was done in conjunction with adding the new policy to block Excel 4.0 macros.
• Expanded macro protection isolating and blocking Excel 4.0 macros. The Excel team created a new policy: "Prevent Excel from running XLM macros". In the Trust Center this is an additional check box in the Macros Tab. We are also blocking Excel 4.0 macros by default in Office version 2109 or later, starting with Current Channel (with other channels at a later time).
• New attributes added to Administrative Template files (ADMX/ADML) for Microsoft 365 Apps for enterprise to easily identify Security baselines and the area the policies are helping to protect.
• Name changes of GPOs included in this baseline - to align with Microsoft branding requirements we have modified the names of the GPOs included in this baseline, see below.

The recommended settings in this security baseline correspond with the administrative templates version 5263, released December 13, 2021.

Deployment options for the baseline

IT Admins can apply baseline settings in different ways. Depending on the method(s) chosen different registry keys will be written and they will be observed in order of precedence: Office cloud policies will override ADMX/Group Policies which will override end user settings in the Trust Center.

• Cloud policies may be deployed with the Office cloud policy service for policies in HKCU.  Cloud policies apply to a user on any device accessing files in Office apps with their AAD account. In Office cloud policy service, you can filter the Recommendation column to display the current Security Baselines, and within each policy's context pane the recommended baseline setting is set by default. Learn more about Office cloud policy service.
• ADMX policies may be deployed with Microsoft Endpoint Manager (MEM) for both HKCU and HKLM policies. These settings are written to the same place as Group Policy, but managed from the cloud in MEM. There are two methods to create and deploy policy configurations: Administrative templates or the settings catalog.
• Group Policy may be deployed with on premise AD DS to deploy Group Policy Objects (GPO) to users and computers. The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file.

GPOs included in the baseline

Most organizations can implement the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We've broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed.

Note: Name change to “MSFT Microsoft 365 Apps v2112”. This GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs:

• “DDE Block - User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones.
• “Legacy File Block - User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.
• "Legacy JScript Block - Computer" disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone.
• “Require Macro Signing - User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.

Disable Excel 4 Macros

A new Excel policy is available to block Excel 4.0 macros separate from VBA macros:  "Prevent Excel from running XLM macros". With this new macro policy, choosing to disable XLM macros will no longer impact VBA macro settings. The setting is also available in the Trust Center for end users to modify. Therefore, to prevent end users changing the setting we recommend enabling the policy "Prevent Excel from running XLM macros".

AREA and AREACATEGORY attributes in ADMX Templates

A new set of attributes has been introduced to allow policies to be tagged for specific scenarios such as Security Baseline, Security, Privacy, Accessibility, etc. These tags will power upcoming features to help admins identify policies by area for easier adoption. You'll see these new columns in the spreadsheet documentation of the security baselines.

Example:

    <policy name="L_AllowDDE" class="User" Area="Security Baseline" AreaCategory="DDE" displayName="$(string.L_AllowDDE)" explainText="$(string.L_AllowDDEExplain)" presentation="$(presentation.L_AllowDDE)" key="software\policies\microsoft\office\16.0\word\security">

When can I expect the next release of Microsoft 365 Apps for enterprise Security Baseline?

In the future, we'll plan to release new security baselines every 6 months, usually in June and December.

If you have questions or issues, please let us know via the Security Baseline Community or this post.