A few weeks ago, in part four of my series on Windows 11 Best Practices, I covered the often unknown Office 365 Apps Admin Center and cloud policies. Cloud policies are similar to App Protection Policies in that they follow the user and apply settings to Office Apps.
Today, we’re going to cover remediating some of the issues around Microsoft Word security policies. Our focus is going to be add-ins on Microsoft Word. We will cover:
- Challenging settings that are part of Microsoft Word add-ins
- Issues created by the Office security baselines
- Leveraging Intune to enhance security and fix issues with the Office security baselines
Challenging Office Security Baseline Settings for Microsoft Word
We focus on a few interesting settings when it comes to Office security baselines. Let’s look at a few of them:
- Require that application add-ins are signed by Trusted Publisher
- Disable Trust Bar Notification for unsigned application add-ins and block them
- VBA Macro Notification Settings
These settings all sort of revolve around the same ideas, but we will discuss each of them briefly. Some people might just give up and turn them off, but nothing good comes of that.
Require that application add-ins are signed by Trusted Publisher
When we look at add-ins and macros, there are specific things that we can do to protect ourselves. The two main things we look at are:
- Are they signed?
- Are they signed by trusted publishers?
Adobe’s PDFMaker is one of the bigger ones that can have issues, which we can confirm is signed by going to “C:\Program Files\Adobe\Acrobat DC\PDFMaker\Common” and looking at the DLLs.
As far as trusted publishers, we will discuss that more shortly.
Disable Trust Bar Notification for unsigned application add-ins and block them
Something that is closely related to trusted publishers, is the trust bar notification that disables add-ins or macros because they’re unsigned, which is obviously another key best practice. We need to make sure that we protect people from themselves, which means enable unsigned Macros is not good:
VBA Macro Notification Settings
Another closely related setting, is disabling macros that are not digitally signed and by a trusted publisher. We also should couple this with settings that require trusted publishers are deployed to the local machine store and have EKUs like Code Signing (1.3.6.1.5.5.7.3.3) present:
All in all, we need to stop significant risks like unsigned macros and add-ins because they will put you at significant risk.
Issues Created by Office App Security Baselines
If we focus on Adobe, we noticed after deploying the best practices for Microsoft Word that a few different issues surfaced.
First, when we tried to right-click and “Convert to PDF” we ran into a fun issue: (known as “Missing PDFMaker files”
We also saw this inside of Microsoft Word:
We checked out Trusted Publishers and noticed that Adobe is missing:
Basically, in short, we identified that all of the convert to PDF functionality is tied back to the Microsoft Word Add-In and that many publishers, such as Clarivate (who makes EndNote) and Adobe (surprisingly) don’t write their code to add or prompt to add to “Trusted Publishers.” Now, that is a major issue we need to handle, but how?!
Using Microsoft Intune to Address Trusted Publisher Issues
Now, you will be SHOCKED, but these developers have no interest in addressing these issues ourselves. Let’s put on our hardhat and get to work! As I mentioned earlier, we know where their signed DLLs are so let’s get that certificate!
This code will grab the info you need to build your trusted publisher profile in Intune:
##Grab the Signature from the Adobe DLL##
$Signature = Get-AuthenticodeSignature -FilePath "C:\Program Files\Adobe\Acrobat DC\PDFMaker\Common\PDFMakerAPI.dll"
##Extract the Certificate
$certificate = $signature.SignerCertificate
##Capture the Base 64 and Output It
$base64Cert = [System.Convert]::ToBase64String(([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certificate)).Export('Cert'))
Write-Output $base64Cert
##Output the Thumbprint
Write-Output $certificate.thumbprintDepending on how you want to do it from here, you can create a custom policy with the following:
OMA-URI: ./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/{Thumbprint aka $certificate.thumbprint}/EncodedCertificate
Data Type: String
Value: {The Base64 from above aka $base64Cert}You can also do it via PowerShell against the Graph API or API Explorer:
# Define the API endpoint for creating a custom policy
$graphApiUrl = "https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations"
# Define the custom policy details
$customPolicy = @{
"@odata.type" = "#microsoft.graph.windows10CustomConfiguration"
"displayName" = "Trusted Publishers"
"description" = "Trusted Publishers"
"omaSettings" = @(
@{
"@odata.type" = "#microsoft.graph.omaSettingString"
"displayName" = "Sample OMA Setting"
"description" = "This is a sample OMA setting"
"omaUri" = "./Device/Vendor/MSFT/RootCATrustedCertificates/TrustedPublisher/$($certificate.Thumbprint)/EncodedCertificate"
"value" = $base64cert
}
)
}
# Convert the custom policy to JSON
$customPolicyJson = $customPolicy | ConvertTo-Json -Depth 10
# Create the custom policy via API
$response = Invoke-RestMethod -Method Post -Uri $graphApiUrl -Headers @{
Authorization = "Bearer $accessToken"
"Content-Type" = "application/json"
} -Body $customPolicyJson
# Output the response
$responseBy doing this, you will send the Adobe certificate into the Trusted Publishers store, which addresses the issue and gives you a secure landscape for your office apps and their macros/add-ins.
Final Thoughts
We learned recently with the nightmare update by CrowdStrike that broke several customers that you need to test changes. If you properly roll out security baselines on Office apps, you should catch these sorts of issues. Some people just “let it fly!”, which sounds great, but is often disastrous. With a few fun settings inside of Intune we can deliver an amazing security experience without putting a dent in the user experience. That is always the goal, and we can achieve it easily.
