Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.

Property	Value
ISM Control	ISM-1542
Revision	0
Updated	Jan-19
Guideline	Not provided
Section	User application hardening
Topic	Hardening user application configurations
Essential Eight	ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Microsoft Office is configured to block activation of OLE packages, reducing the risk from OLE/COM components in Office documents. The implementation uses a PowerShell script deployed via Intune Scripts to enforce the setting on supported Office versions¹.

The OfficeMacroHardening-PreventActivationofOLE.ps1 script writes the following registry values to block OLE package activation in Office 2016 and later:

Registry path	Value name	Type	Value	Effect
`HKCU\Software\Microsoft\Office\16.0\Excel\Security`	`PackagerPrompt`	DWORD	`0`	Suppress OLE activation prompt in Excel
`HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security`	`PackagerPrompt`	DWORD	`0`	Suppress OLE activation prompt in PowerPoint
`HKCU\Software\Microsoft\Office\16.0\Word\Security`	`PackagerPrompt`	DWORD	`0`	Suppress OLE activation prompt in Word
`HKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\<CLSID>`	`ActivationFilterOverride`	DWORD	`0`	Block activation of risky COM class CLSIDs

[!NOTE] These are HKCU (per-user) keys written when the script runs with logged-on credentials. An alternative approach is to deploy the same keys via Intune Settings Catalog (Custom OMA-URI) or Group Policy Preferences, or to enforce the block at the kernel-mode code-integrity layer using a WDAC deny rule for the OLE COM DLL (e.g., mshtml.dll). The WDAC approach is system-wide and harder to bypass, but requires policy authoring and signing.[^3]

Justification

CVE-2014-6352: Windows OLE remote code execution vulnerability exploited via specially crafted Office files containing OLE objects; blocking OLE activation mitigates this risk².

Design Decision

[!NOTE] The OfficeMacroHardeningPreventActivationOfOle.ps1 script will be deployed via Intune Scripts to disable OLE package activation in Office. It will be targeted to Office 2016 and later and OLE activation will be blocked in Excel, PowerPoint, and Word.

Prerequisites

Permissions/Roles

Administrative access to Microsoft Intune to create and assign the PowerShell script under Devices > Scripts and target the deployment to a group (for example, All Office Users) or a deployment group. ¹
Device management prerequisites: Device must be enrolled in Microsoft Intune and Entra ID (or hybrid Azure AD joined) to receive and apply the script. ¹

Dependencies

OfficeMacroHardening-PreventActivationofOLE.ps1 PowerShell script to import registry keys that block activation of OLE packages in Excel, PowerPoint, and Word (Office 2016 and later). ¹
OfficeMacroHardening-PreventActivationofOLE-Office2013.ps1 script for Office 2013, if applicable. ¹
The script is imported into Intune as a PowerShell script with the following options:
- Run this script using the logged on credentials: Yes
- Enforce script signature check: No
- Run script in 64-bit PowerShell Host: No These run-time options are required for deployment. ¹²
The script is unsigned. If script signing is required in the environment, sign the script and set Enforce script signature check to Yes. ¹
Office 2016 and later requirement: The primary script targets Office 2016 and later. ¹

Implementation Steps

Intune Script Deployment to Disable OLE Package Activation in Office (OfficeMacroHardeningPreventActivationOfOle.ps1)

Add the OfficeMacroHardening-PreventActivationofOLE.ps1PowerShell script to Intune as a PowerShell script with the following options:

Setting	Value
Run this script using the logged on credentials	Yes
Enforce script signature check	No
Run script in 64-bit PowerShell Host	No

Assign the script to a deployment group. ¹
Note: The script is specifically for Office 2016 and later. A script to prevent the activation of OLE for Office 2013 is provided here: OfficeMacroHardening-PreventActivationofOLE-Office2013.ps1. ¹
If script signing is required, sign the script and change the Enforce script signature check to: Yes. See [Methods of signing scripts] documentation. ¹

Intune Step-by-step Wizard Deployment to Import and Assign Script (OfficeMacroHardening-PreventActivationofOLE.ps1)

Navigate to Devices > Scripts and create a new PowerShell script. ²
Import the PowerShell script to prevent activation of Object Linking and Embedding packages. ²
Run this script using the logged on credentials: Yes. ²
Enforce script signature check: No. ²
Run script in 64-bit PowerShell Host: No. ²
Assign the PowerShell script to: All Office Users (created in Stage 1). ²

[!NOTE] This PowerShell script is specifically for Office 2016 and later. A script to prevent the activation of OLE for Office 2013 is provided here: OfficeMacroHardening-PreventActivationofOLE-Office2013.ps1. ²

Essential Eight user application hardening provides guidance on blocking activation of OLE packages in Office via scripting and policy deployment Essential Eight user application hardening
Essential Eight configure Microsoft Office macro settings details how to import and assign a script to all Office users to enforce OLE blocking Essential Eight configure Microsoft Office macro settings
How to control the blocking of OLE/COM components in Microsoft 365 Subscription explains registry-based controls for enabling or disabling OLE/COM activation How to control the blocking of OLE/COM components in Microsoft 365 Subscription
Microsoft Security Bulletin MS14-064 - Critical documents the CVE-2014-6352 OLE remote code execution vulnerability and mitigation Microsoft Security Bulletin MS14-064 - Critical
ASD Blueprint: Microsoft Office hardening - ASD’s Blueprint for Secure Cloud describes design decisions for hardening Office and centralized management ASD Blueprint: Microsoft Office hardening - ASD’s Blueprint for Secure Cloud

🛡️ Essential 8 Guide