Microsoft Office System 2016 Security Technical Implementation Guide

This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies. If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".

This policy setting controls whether Office 2016 applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the top of the active window. The Message Bar informs the users about the nature of the security issue and, in some cases, provides the users with an option to enable the potentially unsafe feature or content, which could harm the user's computer. If you enable this policy setting, Office 2016 applications do not display information in the Message Bar about potentially unsafe content that has been detected or has automatically been blocked. If you disable this policy setting, Office 2016 applications display information in the Message Bar about content that has automatically been blocked. If you do not configure this policy setting, if an Office 2016 application detects a security issue, the Message Bar is displayed. However, this configuration can be modified by users in the Trust Center.

This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint, and Word encrypt metadata stored in rights-managed Office Open XML files and override any configuration changes on users' computers. If you disable this policy setting, Office 2016 applications cannot encrypt metadata in rights-managed Office Open XML files, which can reduce security. If you do not configure this policy setting, when Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted.

This policy setting determines whether metadata is encrypted when an Office Open XML file is password protected. If you enable this policy setting, Excel 2016, PowerPoint 2016, and Word 2016 encrypt metadata stored in password-protected Office Open XML files and override any configuration changes on users' computers. If you disable this policy setting, Office 2016 applications cannot encrypt metadata in password-protected Office Open XML files, which can reduce security. If you do not configure this policy setting, when an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people.

This policy setting allows you to specify an encryption type for Office Open XML files. If you enable this policy setting, you can specify the type of encryption that Office applications use to encrypt password-protected files in the Office Open XML file formats used by Excel, PowerPoint, and Word. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer. Specify the encryption type to use by entering it in the provided text box in the following form:,,For example: Microsoft Enhanced Cryptographic Provider v1.0,RC4,128. If you disable or do not configure this policy setting, the default CSP is used. The default cryptographic service provider (CSP) is Microsoft Enhanced RSA and AES Cryptographic Provider, AES-128, 128-bit.Note: This policy setting does not take effect unless the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\\Security\Crypto\CompatMode is set to 0. By default the CompatMode registry key is set to 1.

This policy setting enables you to specify an encryption type for password-protected Office 97-2003 files. If you enable this policy setting, you can specify the type of encryption that Office applications will use to encrypt password-protected files in the older Office 97-2003 file formats. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer. Specify the encryption type to use by entering it in the provided text box in the following form:,,.For example, Microsoft Enhanced Cryptographic Provider v1.0,RC4,128. If you do not configure this policy setting, Excel, PowerPoint, and Word use Office 97/2000 Compatible encryption, a proprietary encryption method, to encrypt password-protected Office 97-2003 files.

This policy setting specifies the Microsoft ActiveX« initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer--or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. If you enable this policy setting, you can set the ActiveX security level to a number between 1 and 6. These security levels are as follows: 1 - Regardless of how the control is marked, load it and use the persisted values (if any). This setting does not prompt the user. 2 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, load in unsafe mode with persisted values (if any), or use the default (first-time initialization) settings. This level is similar to the default configuration, but does not prompt the user. 3 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 4 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 5 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. 6 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. If you disable or do not configure this policy setting, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond. Important - Some ActiveX controls do not respect the safe mode registry setting, and therefore might load persisted data even though you configure this setting to instruct the control to use safe mode. This setting only increases security for ActiveX controls that are accurately marked as SFI. In situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately marked as SFI.

This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1.

This policy setting controls whether macros can run in an Office 2016 application that is opened programmatically by another application. If you enable this policy setting, you can choose from three options for controlling macro behavior in Excel, PowerPoint, and Word when the application is opened programmatically: - Disable macros by default - All macros are disabled in the programmatically opened application. - Macros enabled (default) - Macros can run in the programmatically opened application. This option enforces the default configuration in Excel, PowerPoint, and Word. - User application macro security level - Macro functionality is determined by the setting in the "Macro Settings" section of the Trust Center. If you disable or do not configure this policy setting, when a separate program is used to launch Microsoft Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked.

This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone. If you enable this policy setting, users can specify any location as a trusted location, and a computer can have a combination of user-created, OCT-created, and Group Policy-created trusted locations. If you disable this policy setting, all trusted locations that are not created by Group Policy are disabled and users cannot create new trusted locations in the Trust Center. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled. Note - InfoPath 2016 and Outlook 2016 do not recognize trusted locations, and therefore are unaffected by this policy setting.

This policy setting controls whether Office 2016 applications can load an XML expansion pack manifest file with a Smart Document. An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. You package one or more components that provide the logic needed for a Smart Document by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files. The key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, you specify the locations of all files that make up the XML expansion pack, as well as information that instructs Office 2016 how to set up the files for your Smart Document. The XML expansion pack can also contain information about how to set up some files, such as how to install and register a COM object required by the XML expansion pack. If you enable this policy setting, Office 2016 applications cannot load XML expansion packs with Smart Documents. If you disable or do not configure this policy setting, Office 2016 applications can load an XML expansion pack manifest file with a Smart Document.

This policy setting controls whether users are required to connect to the Internet or a local network to have their licenses confirmed every time they attempt to open Excel workbooks, InfoPath forms or templates, Outlook e-mail messages, PowerPoint presentations, or Word documents that are protected by Information Rights Management (IRM). This policy is useful if you want to log the usage of files with restricted permissions on the server. If you enable this policy setting, users are required to connect to verify permissions. This policy setting will only affect protected files created on machines where the policy is enabled. If you disable or do not configure this policy setting, users are not required to connect to the network to verify permissions.

This policy setting controls whether document metadata can be saved in PDF and XPS documents. If you enable this policy setting, document properties metadata is not exported to PDF and XPS files. If you disable this policy setting, document properties metadata will always be saved with PDF and XPS files, and users will not be able to override this configuration. If you do not configure this policy setting, if the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs add-in is installed, document properties are saved as metadata when users save files using the PDF or XPS or Publish as PDF or XPS commands in Access, Excel, InfoPath, PowerPoint, and Word, unless the "Document properties" option is unchecked in the Options dialog.

This policy setting allows you configure if the document properties are encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. If you enable this policy setting, the document properties will be encrypted. If you disable or do not configure this policy setting, the document properties will not be encrypted.

This policy setting allows you to remove Office Presentation Service from the list of online presentation services in PowerPoint and Word. This list appears when a user selects Present Online from the Share tab in Backstage view and in the ribbon in PowerPoint. If you enable this policy setting, Office Presentation Service is not shown as an option for presenting online. If you disable or do not configure this policy setting, users can select Office Presentation Service to present their PowerPoint or Word file to other users online.

This policy setting allows you to restrict the ability to create an online presentation programmatically in PowerPoint and Word. If you enable this policy setting, an online presentation cannot be created programmatically. If you disable or do not configure this policy setting, an online presentation can be created programmatically.

This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. If you enable this policy setting, the Office Feedback Tool will allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you disable this policy setting, the Office Feedback Tool will not allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".

This policy setting allows users to run unsecure web add-in, which are add-ins that have web page or catalog locations that are not SSL-secured (https://), and are not in users' Internet zones. If you enable this policy setting, users can run unsecure apps. To enable specific unsecure web add-ins, you must also configure the Trusted Web add-in Catalog policy settings to trust the catalogs that contains those Add-ins. If you disable or do not configure this policy setting, unsecure web add-ins are not allowed.

This policy setting configures Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If you enable this policy setting, Office Telemetry Agent obfuscates the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. If you disable or do not configure this policy setting, Office Telemetry Agent uploads telemetry data that shows the full file name, file path, and title of all Office documents.

This policy setting controls whether users can send personal information to Office. When users choose to send information Office 2016 applications automatically send information to Office. If you enable this policy setting, users will opt into sending personal information to Office. If your organization has policies that govern the use of external resources, opting users into the program might cause them to violate these policies. If you disable this policy setting, Office 2016 users cannot send personal information to Office. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".