none
Microsoft Office 2010 (machine)/Security Settings/IE Settings

    Question

  • Hi,

    Few questions around the Office 2010 (machine) \ Security settings \ IE security hoping to get some clarification.

    We downloaded the Office 2010 computer security from SCM 4.0 (as below figure, the IE Security settings is for Microsoft Office 2010):

    When import the cab file into a computer gpo for office 2010. The IE settings went into the office 2007 system (machine) template, and nothing in the Office 2010 (machine) template:

    We have tried exporting from scm and importing to different GPO many times. The IE Security settings always goes into Office 2007 template.

    >> Can you please clarify if this is by design / or known issue / .... or ?

    >> Problem is we cannot put this computer Office 2010 GPO to PRD env, as there are computer Office 2007 gpo out there with a different set of IE Security settings.

    So we manually changed the IE settings for computer Office 2010 gpo.

    However, another mystery (or not), for any settings configured, I.E Add-on Management, Bind to Object etc on the Office 2010 (machine) template, it get "replicated" / set on the Office 2013 (machine) as well as the Office 2016 (machine) !!!

    >> This is by design . ????? Because we also noticed that by changing the Office 2013 (machine) policy for a Office 2013 GPO, the settings also get "replicated" to Office 2010 & Office 2016 template!!!

    >> If this is by design ... how is it going to work for an environment where there are many version of Office on the PRD env, where each Office version has it own computer GPO with different settings?


    Best Regards,





    Friday, August 5, 2016 1:02 AM

Answers

  • Although it may appear that these settings are related to Office (and therefore may appear to be Office-version-specific), in fact these are not Office settings at all, they are really IE settings.

    As such, these IE settings are *not* Office-version-specific, and affect the computer-wide aspect of IE+Office integration.

    This can be seen by observing the actual registry key which this setting manipulates:

    HKLM\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management!

    So, this setting, if managed, will affect any/all versions of Office upon the targeted computer.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    NB: [from the Win8.1/WS2012R2 GP Settings Reference workbook]

    Template: inetres.admx
    Applies to: At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1
    Policy Path: Windows Components\Internet Explorer\Security Features\Add-on Management  
    Registry path: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT!*

    Explain_Text: This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Add-on Manager) or policy settings. 
    By default any process other than the Internet Explorer processes or those listed in the 'Process List' policy setting ignore add-on management user preferences and policy settings.
    - If you enable this policy setting all processes will respect add-on management user preferences and policy settings.
    - If you disable or do not configure this policy setting all processes will not respect add-on management user preferences or policy settings.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by BlueBerries Monday, August 8, 2016 12:51 AM
    Friday, August 5, 2016 10:46 AM
  • Hi,

    Copying newer .admx files over the existing definitions will not affect the existing GP. You could refer to the following articles to get more information:

    How to create and manage the Central Store for Group Policy Administrative Templates in Windows

    https://support.microsoft.com/en-us/kb/3087759

    How do you update your Group Policy ADMX files?

    http://deploywindows.info/2015/08/20/how-do-you-update-your-group-policy-admx-files/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by BlueBerries Thursday, August 11, 2016 12:37 AM
    Wednesday, August 10, 2016 6:37 AM
    Moderator

All replies

  • Hi,

    Few questions around the Office 2010 (machine) \ Security settings \ IE security hoping to get some clarification.

    We downloaded the Office 2010 computer security from SCM 4.0 (as below figure, the IE Security settings is for Microsoft Office 2010):

    When import the cab file into a computer gpo for office 2010. The IE settings went into the office 2007 system (machine) template, and nothing in the Office 2010 (machine) template:

    We have tried exporting from scm and importing to different GPO many times. The IE Security settings always goes into Office 2007 template.

    >> Can you please clarify if this is by design / or known issue / .... or ?

    >> Problem is we cannot put this computer Office 2010 GPO to PRD env, as there are computer Office 2007 gpo out there with a different set of IE Security settings.

    So we manually changed the IE settings for computer Office 2010 gpo.

    However, another mystery (or not), for any settings configured, I.E Add-on Management, Bind to Object etc on the Office 2010 (machine) template, it get "replicated" / set on the Office 2013 (machine) as well as the Office 2016 (machine) !!!

    >> This is by design . ????? Because we also noticed that by changing the Office 2013 (machine) policy for a Office 2013 GPO, the settings also get "replicated" to Office 2010 & Office 2016 template!!!

    >> If this is by design ... how is it going to work for an environment where there are many version of Office on the PRD env, where each Office version has it own computer GPO with different settings?


    Best Regards,




    To Add more information on the above question, the registry key of I.E, Add on Management:

    For Office 2007 & Office 2010 and on different path:

    > Why would importing a Office 2010 from SCM went into the Office 2007 template?

    The registry key for Office 2010 is on different path for Office 2013 and Office 2016. (as above).

    > why would changing the Office 2010 (machine) template also changes the Office 2013 & 2016 template?

    please check and confirm.


    Best Regards,


    Friday, August 5, 2016 1:58 AM
  • Although it may appear that these settings are related to Office (and therefore may appear to be Office-version-specific), in fact these are not Office settings at all, they are really IE settings.

    As such, these IE settings are *not* Office-version-specific, and affect the computer-wide aspect of IE+Office integration.

    This can be seen by observing the actual registry key which this setting manipulates:

    HKLM\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management!

    So, this setting, if managed, will affect any/all versions of Office upon the targeted computer.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, August 5, 2016 8:33 AM
  • Hi,

    Thanks for your post.

    Would you please describe your steps briefly about exporting the GPO from SCM and importing it to clients?

    Besides, since this issue is more related to the Security and Compliance Management, I suggest to contact Security and Compliance Management Forum for further help:

    https://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.  Thank you for your understanding.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 5, 2016 8:48 AM
    Moderator
  • Although it may appear that these settings are related to Office (and therefore may appear to be Office-version-specific), in fact these are not Office settings at all, they are really IE settings.

    As such, these IE settings are *not* Office-version-specific, and affect the computer-wide aspect of IE+Office integration.

    This can be seen by observing the actual registry key which this setting manipulates:

    HKLM\software\microsoft\internet explorer\main\featurecontrol\feature_addon_management!

    So, this setting, if managed, will affect any/all versions of Office upon the targeted computer.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    NB: [from the Win8.1/WS2012R2 GP Settings Reference workbook]

    Template: inetres.admx
    Applies to: At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1
    Policy Path: Windows Components\Internet Explorer\Security Features\Add-on Management  
    Registry path: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT!*

    Explain_Text: This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Add-on Manager) or policy settings. 
    By default any process other than the Internet Explorer processes or those listed in the 'Process List' policy setting ignore add-on management user preferences and policy settings.
    - If you enable this policy setting all processes will respect add-on management user preferences and policy settings.
    - If you disable or do not configure this policy setting all processes will not respect add-on management user preferences or policy settings.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by BlueBerries Monday, August 8, 2016 12:51 AM
    Friday, August 5, 2016 10:46 AM
  • Hi Don,

    Thanks for the info.


    Best Regards,

    Monday, August 8, 2016 12:57 AM
  • Hi Alvwan / Microsoft,

    The Microsoft Security baseline for Office 2010 vs Office 2013 are different, as below:

    In an environment with mixture of Office version, there will be Computer gpo for Office 2013 and Office 2010.

    How is this going work?

    Thank you 


    Best Regards,



    Monday, August 8, 2016 1:04 AM
  • Hi,

    You could try to manage multiple versions of office with the following method:

    Create a GPO for the Office 2010 settings and a separate GPO for the Office 2013 settings then set up a WMI filter for "only if Office 2010 installed" and another for "only if Office 2013 installed" and apply the filter to the matching GPO.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 8, 2016 6:26 AM
    Moderator
  • Hi Alvin,

    thanks for the reply.

    Can you please confirm if this is by design that by changing the ...\IE Security settings on the Administrative Template for Microsoft Outlook 2010 (machine), these settings are then "replicated" / also "set on" the Microsoft Office 2013 (machine) as well as Microsoft Office 2013 (machine) administrative template?

    and the GPO report (html) will only display the view for ...\IE Security settings the latest version of Microsoft Office that it has in the GPO?

    IE. this is a Office 2010 GPO, the .../IE Security settings are set on Office 2010 (machine), however as mentioned above, the settings also "replicated" to the Office 2013 (machine) template. When view the HTML report: it only show Office 2013 settings:

    Is there a Microsoft supporting article for this?

    thank you


    Best Regards,

    Monday, August 8, 2016 8:15 AM
  • Hi,

    I am sorry there is no such an official article which describes this behavior. I am still trying to search some related information both in website and our internal database about this and will keep you posted if there is any useful information.

    Thanks for your understanding.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 9, 2016 9:12 AM
    Moderator
  • Hi Alvwan,

    Thanks. please keep us posted.

    We have a Office 2013 GPO which is LIVE in the PROD environment (i.e. Office 2013 gpo), using ADMX files in Central store. Someone actually replaced the original ADMX files for Office 2013 I.e Office15 ADMX files with an updates version.

    Could this bring any impact on the the current PFD Office GPO?

    or how can we update a later version of Office 2013 ADMX files while using a Central Store concept?

    Thanks


    Best Regards,

    Wednesday, August 10, 2016 12:50 AM
  • Hi,

    Copying newer .admx files over the existing definitions will not affect the existing GP. You could refer to the following articles to get more information:

    How to create and manage the Central Store for Group Policy Administrative Templates in Windows

    https://support.microsoft.com/en-us/kb/3087759

    How do you update your Group Policy ADMX files?

    http://deploywindows.info/2015/08/20/how-do-you-update-your-group-policy-admx-files/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by BlueBerries Thursday, August 11, 2016 12:37 AM
    Wednesday, August 10, 2016 6:37 AM
    Moderator
  • Hi Alvwan,

    thanks for the useful info on ADMX files.

    Please keep us posted when you find out the answer (refer above post August 08) if that is by Microsoft design.

    Thank you


    Best Regards,

    Thursday, August 11, 2016 12:39 AM
  • Hi,

    You're welcome. I will do further research about this case and reply to you if there is any update.

    It is also appreciated that the other members in our forum can share their experience with us about this scenario.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 11, 2016 5:25 AM
    Moderator
  • Hi Alvwan,

    is there any update? thanks


    Best Regards,

    Tuesday, August 16, 2016 12:41 AM
  • Sorry BlueBerries, I tried searching these days but still no progress. Actually, not all the issues and scenarios will be documented by Microsoft and the issue you encountered should be one of them.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, August 16, 2016 8:05 AM
    Moderator
  • Hi Alvwan,

    Did Microsoft try to edit the Microsoft Office 2010 / Office 2013 / Office 2016 administrative template to find out whether this is an issue / by design / are they seeing the same thing too?

    Can that be done and confirm?

    Thank you


    Best Regards,

    Wednesday, August 17, 2016 5:17 AM
  • Hi,

    I would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below:

    Global Customer Service phone numbers 

    https://support.microsoft.com/en-us/gp/customer-service-phone-numbers/en-au?wa=wsignin1.0

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, August 17, 2016 8:18 AM
    Moderator