Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain in-demand skills with online sessions designed to meet the industry’s challenges head-on at Microsoft Ignite.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article is a reference for the settings that are available in the Microsoft 365 Apps for Enterprise security baseline for Microsoft Intune.
Each security baseline is a group of preconfigured settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration profiles.
The details that are displayed in this article are based on baseline version that is selected at the top of the article. For each selection, this article displays:
When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version:
To learn more about using security baselines, see:
Microsoft 365 Apps for Enterprise security baseline for May 2023
This baseline version was first made available in May of 2023. It was replaced by the Baseline Version 2306
For more information about the following settings that are included in this baseline, download the Microsoft Security Compliance Toolkit 1.0 from the Microsoft Download Center, and review the Microsoft 365 Apps for Enterprise-2206-FINAL.zip file.
Microsoft 365 Apps for Enterprise for security baseline version 2306
This baseline version was first made available in November 2023, and replaces the May 2023 version.
For more information about the following settings that are included in this baseline, download the Security Compliance Toolkit and Baselines from the Microsoft Download Center, and then review the Microsoft 365 Apps for Enterprise 2306.zip file.
MS Security Guide
Block Flash activation in Office documents
Baseline default: Enabled
Restrict legacy JScript execution for Office
Baseline default: Enabled
Excel: (Device)
Baseline default: 69632
PowerPoint: (Device)
Baseline default: 69632
OneNote: (Device)
Baseline default: 69632
Publisher: (Device)
Baseline default: 69632
Access: (Device)
Baseline default: 69632
Project: (Device)
Baseline default: 69632
Visio: (Device)
Baseline default: 69632
Outlook: (Device)
Baseline default: 69632
Word: (Device)
Baseline default: 69632
Application Settings > Security > Trust Center
Block macros from running in Office files from the Internet (User)
Baseline default: Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User)
Baseline default: Enabled
Application Settings > Security > Trust Center > Trusted Locations
Data Recovery
Excel Options > Advanced
Excel Options > Advanced > General
Excel Options > Save
Disable AutoRepublish (User)
Baseline default: Enabled
Do not show AutoRepublish warning alert (User)
Baseline default: Disabled
Excel Options > Security
Force file extension to match file type (User)
Baseline default: Enabled
Scan encrypted macros in Excel Open XML workbooks (User)
Baseline default: Enabled
Turn off file validation (User)
Baseline default: Disabled
WEBSERVICE Function Notification Settings (User)
Baseline default: Enabled
Excel Options > Security > Trust Center
Prevent Excel from running XLM macros (User)
Baseline default: Enabled
Require that application add-ins are signed by Trusted Publisher (User)
Baseline default: Enabled
VBA Macro Notification Settings (User)
Baseline default: Enabled
Excel Options > Security > Trust Center > External Content
Don’t allow Dynamic Data Exchange (DDE) server launch in Excel (User)
Baseline default: Enabled
Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel (User)
Baseline default: Enabled
Excel Options > Security > Trust Center > File Block Settings
dBase III / IV files (User)
Baseline default: Enabled
Dif and Sylk files (User)
Baseline default: Enabled
Excel 2 macrosheets and add-in files (User)
Baseline default: Enabled
Excel 2 worksheets (User)
Baseline default: Enabled
Excel 3 macrosheets and add-in files (User)
Baseline default: Enabled
Excel 3 worksheets (User)
Baseline default: Enabled
Excel 4 macrosheets and add-in files (User)
Baseline default: Enabled
Excel 4 workbooks (User)
Baseline default: Enabled
Excel 4 worksheets (User)
Baseline default: Enabled
Excel 95 workbooks (User)
Baseline default: Enabled
Excel 95-97 workbooks and templates (User)
Baseline default: Enabled
Excel 97-2003 workbooks and templates (User)
Baseline default: Enabled
Set default file block behavior (User)
Baseline default: Enabled
Web pages and Excel 2003 XML spreadsheets (User)
Baseline default: Enabled
Excel Options > Security > Trust Center > Protected View
Always open untrusted database files in Protected View (User)
Baseline default: Enabled
Do not open files from the Internet zone in Protected View (User)
Baseline default: Disabled
Do not open files in unsafe locations in Protected View (User)
Baseline default: Disabled
Set document behavior if file validation fails (User)
Baseline default: Enabled
Turn off Protected View for attachments opened from Outlook (User)
Baseline default: Disabled
Excel Options > Security > Trust Center > Trusted Locations
Configure SIP security mode
Baseline default: Enabled
Disable HTTP fallback for SIP connection
Baseline default: Enabled
Customize
Disable UI extending from documents and templates (User)
Baseline default: Enabled
Disallow in PowerPoint (User)
Baseline default: True
Disallow in Publisher (User)
Baseline default: True
Disallow in Outlook (User)
Baseline default: True
Disallow in Project (User)
Baseline default: True
Disallow in Access (User)
Baseline default: True
Disallow in InfoPath (User)
Baseline default: True
Disallow in Word (User)
Baseline default: True
Disallow in Excel (User)
Baseline default: True
Disallow in Visio (User)
Baseline default: True
Security Settings
Allow VBA to load typelib references by path from untrusted intranet locations (User)
Baseline default: Disabled
Automation Security (User)
Baseline default: Enabled
Control how Office handles form-based sign-in prompts (User)
Baseline default: Enabled
Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine (User)
Baseline default: Disabled
Disable all Trust Bar notifications for security issues (User)
Baseline default: Disabled
Encryption type for password protected Office 97-2003 files (User)
Baseline default: Enabled
Encryption type for password protected Office Open XML files (User)
Baseline default: Enabled
Load Controls in Forms3 (User)
Baseline default: Enabled
Macro Runtime Scan Scope (User)
Baseline default: Enabled
Protect document metadata for rights managed Office Open XML Files (User)
Baseline default: Enabled
Security Settings > Trust Center
Server Settings
Smart Documents (Word, Excel)
Security Settings > IE Security
Add-on Management
Baseline default: Enabled
mspub.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
Consistent Mime Handling
Baseline default: Enabled
exprwd.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
Disable user name and password
Baseline default: Enabled
excel.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
Information Bar
Baseline default: Enabled
pptview.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
Local Machine Zone Lockdown Security
Baseline default: Enabled
mse7.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
Mime Sniffing Safety Feature
Baseline default: Enabled
onent.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
Navigate URL
Baseline default: Enabled
groove.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
Object Caching Protection
Baseline default: Enabled
winword.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
Protection From Zone Elevation
Baseline default: Enabled
winproj.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
Restrict ActiveX Install
Baseline default: Enabled
mse7.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
Restrict File Download
Baseline default: Enabled
onent.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
Saved from URL
Baseline default: Enabled
mspub.exe (Device)
Baseline default: True
visio.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
Scripted Window Security Restrictions
Baseline default: Enabled
visio.exe (Device)
Baseline default: True
onent.exe (Device)
Baseline default: True
winproj.exe (Device)
Baseline default: True
winword.exe (Device)
Baseline default: True
exprwd.exe (Device)
Baseline default: True
mse7.exe (Device)
Baseline default: True
mspub.exe (Device)
Baseline default: True
outlook.exe (Device)
Baseline default: True
msaccess.exe (Device)
Baseline default: True
powerpnt.exe (Device)
Baseline default: True
groove.exe (Device)
Baseline default: True
excel.exe (Device)
Baseline default: True
pptview.exe (Device)
Baseline default: True
spDesign.exe (Device)
Baseline default: True
Security > Security Form Settings
The "Outlook Security Mode" policy controls how security settings in Outlook are enforced. To manage any of the dependent Outlook security policies using Microsoft Intune, Office cloud policy service, or Group policy this policy must be enabled and the Outlook Security Policy dropdown set to "Use Outlook Security Group Policy".
Outlook Security Policy: (User)
Baseline default: Use Outlook Security Group Policy
Prevent users from customizing attachment security settings (User)
Baseline default: Enabled
Retrieving CRLs (Certificate Revocation Lists) (User)
Baseline default: Enabled
Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (User)
Baseline default: Enabled
Authentication with Exchange Server (User)
Baseline default: Enabled
Enable RPC encryption (User)
Baseline default: Enabled
Allow hyperlinks in suspected phishing e-mail messages (User)
Baseline default: Disabled
Configure Outlook object model prompt when reading address information (User)
Baseline default: Enabled
Configure Outlook object model prompt when sending mail (User)
Baseline default: Enabled
Allow users to demote attachments to Level 2 (User)
Baseline default: Disabled
Allow Active X One Off Forms (User)
Baseline default: Enabled
Allow scripts in one-off Outlook forms (User)
Baseline default: Disabled
Remove file extensions blocked as Level 2 (User)
Baseline default: Enabled
Use Unicode format when dragging e-mail message to file system (User)
Baseline default: Disabled
Set Outlook object model custom actions execution prompt (User)
Baseline default: Enabled
Do not allow Outlook object model scripts to run for public folders (User)
Baseline default: Enabled
Include Internet in Safe Zones for Automatic Picture Download (User)
Baseline default: Disabled
Security setting for macros (User)
Baseline default: Enabled
Remove file extensions blocked as Level 1 (User)
Baseline default: Enabled
Signature Warning (User)
Baseline default: Enabled
Display Level 1 attachments (User)
Baseline default: Disabled
Minimum encryption settings (User)
Baseline default: Enabled
Do not allow Outlook object model scripts to run for shared folders (User)
Baseline default: Enabled
Configure Outlook object model prompt when executing Save As (User)
Baseline default: Enabled
Configure Outlook object model prompt when responding to meeting and task requests (User)
Baseline default: Enabled
PowerPoint Options > Security
Scan encrypted macros in PowerPoint Open XML presentations (User)
Baseline default: Enabled
Turn off file validation (User)
Baseline default: Disabled
PowerPoint Options > Security > Trust Center
Require that application add-ins are signed by Trusted Publisher (User)
Baseline default: Enabled
VBA Macro Notification Settings (User)
Baseline default: Enabled
PowerPoint Options > Security > Trust Center > File Block Settings
PowerPoint 97-2003 presentations, shows, templates and add-in files (User)
Baseline default: Enabled
Set default file block behavior (User)
Baseline default: Enabled
PowerPoint Options > Security > Trust Center > Protected View
Do not open files from the Internet zone in Protected View (User)
Baseline default: Disabled
Do not open files in unsafe locations in Protected View (User)
Baseline default: Disabled
Set document behavior if file validation fails (User)
Baseline default: Enabled
Turn off Protected View for attachments opened from Outlook (User)
Baseline default: Disabled
PowerPoint Options > Security > Trust Center > Trusted Locations
Project Options > Security > Trust Center
Require that application add-ins are signed by Trusted Publisher (User)
Baseline default: Enabled
VBA Macro Notification Settings (User)
Baseline default: Enabled
Security
Security > Trust Center
Block macros from running in Office files from the internet (User) Baseline default: Enabled
Disable Trust Bar Notification for unsigned application add-ins (User) (Deprecated)
Baseline default: Enabled
Require that application add-ins are signed by Trusted Publisher (User)
Baseline default: Enabled
VBA Macro Notification Settings (User)
Baseline default: Enabled
Visio Options > Security > Trust Center
Allow Trusted Locations on the network (User)
Baseline default: Disabled
Block macros from running in Office files from the Internet (User)
Baseline default: Enabled
Require that application add-ins are signed by Trusted Publisher (User)
Baseline default: Enabled
VBA Macro Notification Settings (User)
Baseline default: Enabled
Visio Options > Security > Trust Center > File Block Settings
Visio 2000-2002 Binary Drawings, Templates and Stencils (User)
Baseline default: Enabled
Visio 2003-2010 Binary Drawings, Templates and Stencils (User)
Baseline default: Enabled
Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User)
Baseline default: Enabled
Word Options > Security > Trust Center
Dynamic Data Exchange (User)
Baseline default: Disabled
Require that application add-ins are signed by Trusted Publisher (User)
Baseline default: Enabled
Scan encrypted macros in Word Open XML documents (User)
Baseline default: Enabled
VBA Macro Notification Settings (User)
Baseline default: Enabled
Word Options > Security > Trust Center > File Block Settings
Set default file block behavior (User)
Baseline default: Enabled
Word 2 and earlier binary documents and templates (User)
Baseline default: Enabled
Word 2000 binary documents and templates (User)
Baseline default: Enabled
Word 2003 binary documents and templates (User)
Baseline default: Enabled
Word 2007 and later binary documents and templates (User)
Baseline default: Enabled
Word 6.0 binary documents and templates (User)
Baseline default: Enabled
Word 95 binary documents and templates (User)
Baseline default: Enabled
Word 97 binary documents and templates (User)
Baseline default: Enabled
Word XP binary documents and templates (User)
Baseline default: Enabled
Word Options > Security > Trust Center > Protected View
Do not open files from the Internet zone in Protected View (User)
Baseline default: Disabled
Do not open files in unsafe locations in Protected View (User)
Baseline default: Disabled
Set document behavior if file validation fails (User)
Baseline default: Enabled
Baseline default: Open in Protected View
Checked: Allow edit. Unchecked: Do not allow edit. (User)
Baseline default: False
Turn off Protected View for attachments opened from Outlook (User)
Baseline default: Disabled
Word Options > Security
Word Options > Security > Trust Center > Trusted Locations
Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain in-demand skills with online sessions designed to meet the industry’s challenges head-on at Microsoft Ignite.
Register now