Microsoft Office is blocked from creating executable content.

Property	Value
ISM Control	ISM-1668
Revision	0
Updated	Sep-21
Guideline	Not provided
Section	User application hardening
Topic	Hardening user application configurations
Essential Eight	ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Block Office applications from creating executable content by enabling the ASR rule for Office apps/macros via Intune, reducing the risk of Office macros or documents delivering executable payloads.¹²

The specific ASR rule is Block Office applications from creating executable content (GUID: 3B576869-A4EC-4529-8536-B80A7769E899). This rule prevents Word, Excel, PowerPoint, and other Office applications from writing executable files (.exe, .dll, .scr, .ps1, .js, .vbs) to disk. It complements ISM-1667 (Block Office from creating child processes), which acts at a later stage by blocking process execution.

Justification

Not provided in source documentation.

Design Decision

[!NOTE] The policy Block Office applications from creating executable content will be deployed via Intune Attack Surface Reduction rules. Office apps from creating executable content will be blocked.

Prerequisites

Permissions/Roles
- Access to the Intune console to create and deploy the ASR policy that blocks Office apps from creating executable content. ³
Dependencies
- Microsoft Intune managed devices and enrollment in Entra ID or hybrid Azure AD joined to receive policy. ³
- Microsoft Defender Antivirus installed and active on devices to support ASR enforcement. ⁴
Testing and Validation
- ASR rules should be tested in audit mode before enforcement to identify compatibility issues. ⁵

Implementation Steps

Enable ASR rule to block Office apps from creating executable content via Intune

In the Intune ASR policy, locate the setting Block Office applications from creating executable content (Office apps/macros creating executable content).¹
Set the value to Block.²
For direct OMA-URI deployment, use:
- OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
- Data type: String
- Value (audit mode): 3B576869-A4EC-4529-8536-B80A7769E899=2
- Change =2 to =1 to switch to Block mode after audit validation.
Monitor audit events: Event ID 1122 (audit) and 1121 (block) in Microsoft-Windows-Windows Defender/Operational. In Microsoft 365 Defender Advanced Hunting, filter on ActionType = AsrOfficeExecutableContentAudited or AsrOfficeExecutableContentBlocked.
Validate by testing the ASR policy in audit mode before enforcement to ensure compatibility in your environment.⁵

[!NOTE] ASR rules should be tested for compatibility issues in any environment before enforcement.⁵

Essential Eight user application hardening provides ASR guidance for Office hardening and importable policy configurations Essential Eight user application hardening
ASD Blueprint: Microsoft Office hardening outlines ASR controls and design considerations for Office hardening ASD Blueprint: Microsoft Office hardening
Windows settings you can manage through an Intune Endpoint Protection profile describes ASR settings in Intune for Office macros and executable content Windows settings you can manage through an Intune Endpoint Protection profile
Create and deploy an Exploit Guard policy demonstrates configuring ASR rules for Office hardening in Intune/Microsoft Defender Create and deploy an Exploit Guard policy

🛡️ Essential 8 Guide