Full Hardening Policy Template for Office Apps - Deployment Guide in Intune

This will include:

Baseline hardening (as in your screenshot)
Additional Microsoft-recommended settings for maximum security
Ready for Intune or GPO deployment

Office App Security Hardening – Recommended Settings

ategory

Setting

Recommended Value

Flash & Legacy Scripts

Block Flash activation in Office documents

Enabled

Block Flash player in Office

Block all Flash content

Restrict legacy JScript execution for Office

Enabled

Macro Security

Block macros from running in Office files from the Internet

Enabled

Disable Trust Bar Notification for unsigned add-ins

Enabled

Require application add-ins signed by trusted publisher

Enabled

VBA Macro Notification Settings

Enabled (Disable all except digitally signed macros)

Trusted Locations

Allow Trusted Locations on the network

Disabled

Protected View

Enable for files originating from the Internet

Enabled

Enable for files in unsafe locations

Enabled

Enable for Outlook attachments

Enabled

Dynamic Data Exchange (DDE)

Disable DDE in Excel

Enabled

Disable DDE in Word

Enabled

Excel 4.0 Macros

Disable all XLM macros

Enabled

Application Guard (if MDE enabled)

Enable Office Application Guard

Enabled

Step-by-Step Deployment Guide in Intune

Step 1: Go to Security Baselines

In Microsoft Endpoint Manager admin center:
Navigate to: Endpoint security → Security baselines → Microsoft 365 Apps for Enterprise Security Baseline.

Step 2: Create Profile

Click + Create profile.
Name: Office Security Baseline – Hardened.
Platform: Windows 10 and later.
Select baseline version (latest).

Step 3: Configure Key Settings

Expand these sections and configure:

MS Security Guide:
- Block Flash → Enabled
- Block Flash Player → Block all Flash content
- Restrict legacy JScript → Enabled
Application Settings → Security → Trust Center:
- Block macros from Internet → Enabled
- Disable Trust Bar Notification for unsigned add-ins → Enabled
- Require signed add-ins → Enabled
- VBA Macro Notification Settings → Disable all except digitally signed macros
Protected View:
- Enable for Internet files → Enabled
- Enable for unsafe locations → Enabled
- Enable for Outlook attachments → Enabled
Excel 4.0 Macros:
- Disable XLM macros → Enabled
Dynamic Data Exchange (DDE):
- Disable DDE for Excel and Word → Enabled

Step 4: Assign

Start with Pilot Group (IT Team).
Monitor for issues → If stable, deploy to All Users.

Step 5: Monitor

Reports → Security baselines compliance.
Check Intune device status and Event Viewer for policy application.

✅ Want me to now create a complete Intune rollout checklist (Excel format) that includes:

Update Rings
Security Baselines (Windows, Edge, Office, Defender)
Compliance Policies
Conditional Access
App Patching