Security baseline for Microsoft 365 Apps for enterprise v2206

Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2206. Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate.

This baseline builds on the previous Office baseline we released December 2021. The highlights of this baseline include:

• Removed the recommendation for the policy "Junk E-mail protection". This policy controls a deprecated feature of SmartScreen for Exchange that's been replaced and setting this policy can cause junk email filtering issues. The Outlook and Defender product groups are working on retiring this feature and policy.
• Default change to block macros in files obtained from the internet is releasing to all supported Office versions; Current Channel as of June 2022, with future releases and timelines listed in the Admin article.
• Mismatched recommendations corrected. The Office team upgraded the tooling that creates the resources and documentation for the Security Baselines. These improvements found some mismatches between the "MSFT Microsoft 365 Apps v2112 - User" GPO and the spreadsheet documentation. See the list of corrections below in the details.
• Known issue: The Solver add-in that ships with Excel may not work properly when the recommended security baselines policy "Prevent Excel from running XLM macros" is enabled. See more in the details below.
• Published new article on Security Baselines for Office apps which contains general information and links to the latest baseline.

The recommended settings in this security baseline correspond with the administrative templates version 5287, released on 2/9/2022.

Deployment options for the baseline

IT Admins can apply baseline settings in different ways. Depending on the method(s) chosen different registry keys will be written and they will be observed in order of precedence: Office cloud policies will override ADMX/Group Policies which will override end user settings in the Trust Center.

• Cloud policies may be deployed with the Office cloud policy service for policies in HKCU.  Cloud policies apply to a user on any device accessing files in Office apps with their AAD account. In Office cloud policy service, you can create a filter for the Area column to display the current Security Baselines, and within each policy's context pane the recommended baseline setting is set by default. Learn more about Office cloud policy service.
• ADMX policies may be deployed with Microsoft Endpoint Manager (MEM) for both HKCU and HKLM policies. These settings are written to the same place as Group Policy, but managed from the cloud in MEM. There are two methods to create and deploy policy configurations: Administrative templates or the settings catalog.
• Group Policy may be deployed with on premise AD DS to deploy Group Policy Objects (GPO) to users and computers. The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file.

GPOs included in the baseline

Most organizations can implement the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We've broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed.

"MSFT Microsoft 365 Apps v2206" GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs:

• “DDE Block - User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones.
• “Legacy File Block - User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.
• "Legacy JScript Block - Computer" disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone.
• “Require Macro Signing - User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.

Removed the recommendation for Junk E-mail protection policy

This policy controls the deprecated feature of SmartScreen for Exchange that's been replaced by Exchange Online Protection (EOP) as of 2016, learn more in this blog article. Previously, we recommended setting the policy to HIGH, however, this can conflict with EOP and cause false negatives and other junk email filtering issues. The SmartScreen for Exchange service is no longer supported and we are removing this recommendation from the security baselines.

New Office default: VBA macros blocked in files from the Internet

VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware, for years we've recommended enabling this policy as part of the security baselines, and we're now enabling this behavior by default for everyone. If you've already set this policy in your organization, this default change will not affect you as policy will take precedence over this default. If however, you have not configured "Block macros in files obtained from the internet" for Office apps (Access, Excel, PowerPoint, Visio, Word) this change will impact you. Learn more in the blog article in Tech Community, and the Admin article listing all release timeframes and options for administration.

Mismatched recommendations corrected

The Office team upgraded the tooling that creates the Office resources and documentation for the Compliance Toolkit. These improvements found some mismatches between the "MSFT Microsoft 365 Apps v2112 - User" GPO and the spreadsheet documentation, we have corrected these:

• It is recommended for Access to Enable the policy "Disable Trust Bar Notification for unsigned application add-ins and block them"
• The "MSFT Microsoft 365 Apps v2112 - User" GPO in the Compliance Toolkit correctly had this policy enabled, while our documentation was incorrect. The documentation is now fixed.
• It is recommended for Access to not configure the policy "Require that application add-ins are signed by Trusted Publisher".
• The documentation was correct and the "MSFT Microsoft 365 Apps v2112 - User" GPO was incorrect. The GPO is now fixed.
• It is recommended for Excel to Enable the policy "Require that application add-ins are signed by Trusted Publisher".
• The documentation was correct and the "MSFT Microsoft 365 Apps v2112 - User" GPO was incorrect. The GPO is now fixed.

Known Issue: The Solver add-in that ships with Excel may not work properly with a certain security policy enabled... When the recommended security baselines policy "Prevent Excel from running XLM macros" is enabled, the Solver and Analysis ToolPak add-ins will not function properly. Functionality may be missing, and results may not be computed, even if the user is informed of a successful computation. A fix is in progress and workarounds, current status, and availability are included in the article.

When can I expect the next release of Microsoft 365 Apps for enterprise Security Baseline?

In the future, we'll plan to release new security baselines every 6 months, usually in June and December.

If you have questions or issues, please let us know via the Security Baseline Community or this post.