Group Policy Objects for Office 2013 and Office 2016 are included in the SHB. It is recommended to use the most recent version of Office to leverage the latest security improvements and product enhancements.
- Office 2016 Group Policy Objects and Group Policy Templates. Using the 64-bit version of Office 2016 is recommended.
- Office 2013 Group Policy Objects and Group Policy Templates.
The Office template files can be downloaded from Microsoft. They are also included in the Group Policy Templates folder for each version of Office as a convenience.
Use the PowerShell Group Policy commands to import the Office Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator.
Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Office 2013','Office 2016'
Use Microsoft's LGPO tool to apply the Office Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator.
Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Office 2013','Office 2016' -ToolPath '.\LGPO\lgpo.exe'
Office Macros have proven themselves to be an increasingly popular attack vector. In Office 2016 a new group policy setting was added to block macros downloaded from the internet. The new setting was backported to Office 2013 as part of patch MS16-099. This Information Assurance Advisory was published to recommend blocking Office macros downloaded from the internet.