Merge pull request #29391 from MicrosoftDocs/main

[AutoPublish] main to live - 09/09 04:28 PDT | 09/09 16:58 IST

Author: m365-skilling-repo-management[bot]

microsoft-365/admin/security-and-compliance/block-active-x-controls.md

@@ -0,0 +1,34 @@
+---  
+title: "Block ActiveX controls in Microsoft 365 apps"  
+description: Use the Microsoft 365 admin center, Office Group policies or registry keys to block ActiveX controls from running in your Microsoft 365 organization.
+author: kwekuako
+ms.author: kwekua  
+manager: dansimp
+ms.date: 06/24/2025  
+ms.topic: how-to
+ms.service: microsoft-365-admin
+ms.localizationpriority: medium
+ms.collection: RestrictedMode
+ms.custom: QuickDraft
+ms.reviewer: kwekua
+audience: admin
+ai-usage: ai-assisted 
+ROBOTS: NOINDEX, NOFOLLOW
+---
+
+# Block ActiveX controls in Microsoft 365 apps
+
+ActiveX controls are small programs used to add interactive features to Microsoft 365 documents and web pages. Due to their history of security vulnerabilities, ActiveX controls are highly susceptible to exploitation by malicious actors. These controls can be used to run harmful code, install malware, or take control of a system when users open compromised files or visit unsafe websites. Consequently, ActiveX is now blocked by default in Microsoft 365 apps.
+
+When this setting is turned on, users in your environment won’t be able to override the default configuration using **Trust Center**.
+
+If you have turned on this setting but need to revert to the default behavior (allow users to override ActiveX blocking using Trust Center), you can turn this setting off directly in the Microsoft 365 admin center.
+
+## Turn off setting in the Microsoft 365 admin center
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.cloud.microsoft</a> and select Org settings.
+1. Select Baseline Security Mode, find the **Block ActiveX controls in the Microsoft 365 apps** setting, and switch the toggle to **Off**.
+
+## Use Office Cloud Policy service
+
+Alternatively, you can make changes to the policy settings directly using the [Office Cloud Policy service](https://config.office.com/). Set the **Disable All ActiveX** policy as not configured to revert to the default behavior.

microsoft-365/admin/security-and-compliance/block-basic-authentication.md

@@ -0,0 +1,37 @@
+---  
+title: "Block Basic authentication"  
+description: Block Basic authentication in Microsoft 365 apps
+author: kwekuako
+ms.author: kwekua  
+manager: dansimp
+ms.date: 06/24/2025  
+ms.topic: how-to
+ms.service: microsoft-365-admin  
+ms.localizationpriority: medium
+ms.collection: RestrictedMode
+ms.custom: QuickDraft
+audience: admin
+ai-usage: ai-assisted
+ROBOTS: NOINDEX, NOFOLLOW
+---
+
+# Block Basic authentication in Microsoft 365 apps
+
+Basic authentication is an outdated authentication method that transmits user credentials in a way that can easily be intercepted and stolen. Blocking Basic authentication helps protect users from credential theft, especially during phishing attacks or when accessing services over insecure networks. Because of these security risks, Basic authentication is now blocked by default in Microsoft 365 apps.
+
+When users attempt to open files on servers that only use Basic authentication, they see a message indicating that the file has been blocked because it uses a sign-in method that might be insecure.
+
+When this setting is turned on, users in your environment won't be able to override the default configuration using Trust Center.
+
+If you have enabled this setting but need to revert to the default behavior (allow users to override the Basic authentication blocking using Trust Center), you can turn this setting off directly in the Microsoft 365 admin center.  
+
+## Turn off setting in the Microsoft 365 admin center
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.cloud.microsoft</a> and select Org settings.
+1. Select Baseline Security Mode, find the **Block Basic authentication prompts** setting, and switch the toggle to **Off**.
+
+## Use Office Cloud Policy service
+
+Alternatively, you can make changes to the policy settings directly using the [Office Cloud Policy service](https://config.office.com/).
+
+The policy setting **Allow Basic authentication prompts from network proxies** controls whether network proxies are allowed to show Basic authentication prompts, and the policy setting **Allow specified hosts to show Basic authentication prompts to Office apps** controls whether specific hosts can show Basic authentication sign-in prompts. Set both of these policies as not configured to revert to the default behavior.

microsoft-365/admin/security-and-compliance/block-dynamic-data-exchange-server-launches-excel.md

@@ -0,0 +1,33 @@
+---  
+title: "Block Dynamic Data Exchange (DDE) server launches in Excel"  
+description: Use the Microsoft 365 admin center, Office Group policies or registry keys to block Dynamic Data Exchange (DDE) server launches in Excel.
+author: kwekuako
+ms.author: kwekua  
+manager: dansimp
+ms.date: 06/24/2025  
+ms.topic: how-to
+ms.service: microsoft-365-admin
+ms.localizationpriority: medium
+ms.collection: RestrictedMode
+ms.custom: QuickDraft
+ms.reviewer: kwekua
+audience: admin
+ROBOTS: NOINDEX, NOFOLLOW
+---
+
+# Block Dynamic Data Exchange (DDE) server launches in Excel
+
+Dynamic Data Exchange (DDE) allows Excel to pull data from external sources in real time. However, if the source is malicious, it can send harmful code to Excel and potentially compromise the system without requiring macros or other active content. Attackers have used this technique in targeted phishing attacks to execute arbitrary commands. Blocking DDE server launches reduces this risk.  
+
+When you enable this setting, Excel will block DDE server launches, helping prevent malicious external sources from injecting harmful code into spreadsheets.
+
+If you have enabled this setting but need to revert to the default behavior, you can turn this setting off directly in the Microsoft 365 admin center.
+
+## Turn off setting in the Microsoft 365 admin center
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.cloud.microsoft</a> and select Org settings.
+1. Select Baseline Security Mode, find the **Block Dynamic Data Exchange (DDE) server launches in Excel** setting, and switch the toggle to **Off**.
+
+## Use Office Cloud Policy service
+
+Alternatively, you can make changes to the policy settings directly using the [Office Cloud Policy service](https://config.office.com/). Set the **Don’t allow Dynamic Data Exchange (DDE) server launch in Excel** policy as not configured to revert to the default behavior.

microsoft-365/admin/security-and-compliance/block-insecure-protocols-file-opens.md

@@ -0,0 +1,32 @@
+---  
+title: "Block insecure protocols for file opens"  
+description: Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) are outdated protocols that can expose sensitive data because they transmit information in plain text. Blocking file opens using these protocols helps prevent attackers from intercepting credentials or other confidential data during file access.
+author: kwekuako
+ms.author: kwekua  
+manager: dansimp
+ms.date: 06/25/2025  
+ms.topic: how-to
+ms.service: microsoft-365-admin
+ms.localizationpriority: medium
+ms.collection: RestrictedMode
+ms.custom: QuickDraft  
+ms.reviewer: kwekua
+audience: Admin 
+ai-usage: ai-assisted
+ROBOTS: NOINDEX, NOFOLLOW
+---
+
+# Block insecure protocols for file opens in Microsoft 365 apps
+
+Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) are outdated protocols that can expose sensitive data because they transmit information in plain text. Blocking file opens using these protocols helps prevent attackers from intercepting credentials or other confidential data during file access.
+
+When this setting is turned on, users will be prevented from opening files from locations that use HTTP or FTP. Users will not be able to override this configuration in **Trust Center**. This helps enforce secure data transmission practices and reduces exposure to man-in-the-middle attacks. If you need to revert to the default behavior, you can turn off this setting directly in the Microsoft 365 admin center.
+
+## Turn off setting in the Microsoft 365 admin center
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.cloud.microsoft</a> and select Org settings.
+1. Select Baseline Security Mode, find the **Block insecure protocols for file opens** setting, and switch the toggle to **Off**.
+
+## Use Office Cloud Policy service
+
+Alternatively, you can make changes to the policy setting directly using the [Office Cloud Policy service](https://config.office.com/). Set the **Block Insecure Protocols** policy as not configured to revert to the default behavior.

microsoft-365/admin/security-and-compliance/block-microsoft-publisher.md

@@ -0,0 +1,33 @@
+---  
+title: "Block Microsoft Publisher"  
+description: Use the Microsoft 365 admin center, Office Group policies, or registry keys to block Microsoft Publisher.
+author: kwekuako
+ms.author: kwekua  
+manager: dansimp
+ms.date: 06/25/2025  
+ms.topic: how-to
+ms.service: microsoft-365-admin
+ms.localizationpriority: medium
+ms.collection: RestrictedMode
+ms.custom: QuickDraft
+ms.reviewer: kwekua
+audience: admin
+ROBOTS: NOINDEX, NOFOLLOW
+---
+
+# Block Microsoft Publisher
+
+Publisher has a large attack surface and won't be included in Microsoft 365 starting in October 2026. Blocking Publisher now reduces security risk and aligns with Microsoft’s support strategy.
+
+When you enable this setting, Microsoft Publisher won't launch. When users try to launch Publisher, they get an error message “Publisher could not start because of a security policy set by your organization.”
+
+If you've already enabled this setting but need to revert to the default behavior, you can turn off this setting directly in the Microsoft 365 admin center.
+
+## Turn off setting in the Microsoft 365 admin center
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.cloud.microsoft</a> and select Org settings.
+1. Select Baseline Security Mode, find the **Block Microsoft Publisher** setting, and switch the toggle to **Off**.
+
+## Office Cloud Policy service
+
+Alternatively, you can make changes to the policy setting directly using the [Office Cloud Policy service](https://config.office.com/). Set the **Disable Publisher** policy as not configured to revert to the default behavior.

microsoft-365/admin/security-and-compliance/block-ole-graph-org-chart-objects.md

@@ -0,0 +1,32 @@
+---  
+title: "Block OLE Graph and OrgChart objects"
+description: Block OLE Graph and OrgChart objects
+author: kwekuako
+ms.author: kwekua  
+manager: dansimp
+ms.date: 06/25/2025  
+ms.topic: how-to
+ms.service: microsoft-365-admin  
+ms.localizationpriority: medium
+ms.collection: RestrictedMode
+ms.custom: QuickDraft
+audience: admin
+ROBOTS: NOINDEX, NOFOLLOW
+---
+
+# Block OLE Graph and OrgChart objects
+
+Although rarely used today, OLE Graph and OrgChart objects in Microsoft 365 files are legacy features that attackers often exploit to run malicious code when a document is opened.
+
+When you enable this setting, Microsoft 365 apps will block loading OLE Graph and OrgChart objects to protect users from known exploitation techniques.
+
+If you have enabled this setting but need to revert to the default behavior (allow users to override the basic authentication blocking using Trust Center), you can turn this setting off directly in the Microsoft 365 admin center.  
+
+## Turn off setting in the Microsoft 365 admin center
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.cloud.microsoft</a> and select Org settings.
+1. Select Baseline Security Mode, find the **Block OLE Graph and OrgChart objects** setting, and switch the toggle to **Off**.
+
+## Use Office Cloud Policy service
+
+Alternatively, you can make changes to the policy setting directly using the [Office Cloud Policy service](https://config.office.com/). Set the **Block OrgChart** policy and **Block OLE Graph** policy as not configured to revert to the default behavior.

microsoft-365/admin/security-and-compliance/block-server-extensions-protocol-file-opens.md

@@ -0,0 +1,34 @@
+---  
+title: "Block FPRPC protocol for file opens"
+description: FPRPC (FrontPage Server Extensions Remote Procedure Call) is an outdated protocol that poses security risks. It can be exploited by attackers to execute arbitrary commands or compromise systems through specially crafted files or network traffic. Due to these risks, Microsoft 365 apps block file opens using FPRPC by default. When FPRPC fallback is blocked, the app will attempt to open the file using HTTPS instead.
+author: kwekuako
+ms.author: kwekua  
+manager: dansimp
+ms.date: 06/25/2025  
+ms.topic: how-to
+ms.service: microsoft-365-admin
+ms.localizationpriority: medium
+ms.collection: RestrictedMode
+ms.custom: QuickDraft  
+ms.reviewer: kwekua
+audience: Admin 
+ai-usage: ai-assisted
+ROBOTS: NOINDEX, NOFOLLOW 
+---  
+
+# How to Block FrontPage Server Extensions Remote Procedure Call (FPRPC) for file opens in Microsoft 365 apps
+
+FrontPage Server Extensions Remote Procedure Call (FPRPC) is an outdated protocol that poses security risks. It can be exploited by attackers to execute arbitrary commands or compromise systems through specially crafted files or network traffic. Due to these risks, Microsoft 365 apps block file opens using FPRPC by default. When FPRPC is blocked, the app will attempt to open the file using HTTPS instead.
+
+When this setting is turned on, users in your environment won’t be able to override the default configuration using Trust Center.
+
+If you have turned on this setting and you need to revert to the default behavior, allowing users to override FPRPC blocking using Trust Center, you can turn off the Baseline Security Mode setting directly in the Microsoft 365 admin center.
+
+## Turn off setting in the Microsoft 365 admin center
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.cloud.microsoft</a> and select Org settings.
+1. Select Baseline Security Mode, find the Block FPRPC protocol for file opens setting, and switch the toggle to **Off**.
+
+## Use Office Cloud Policy service
+
+Alternatively, you can make changes to the policy setting directly using the [Office Cloud Policy service](https://config.office.com/). Set the **Restrict Apps from FPRPC Fallback** policy as not configured to revert to the default behavior.

microsoft-365/admin/security-and-compliance/minimum-version-numbers-office.md

@@ -0,0 +1,50 @@
+---  
+title: "Minimum versions for Baseline Security Mode mode in Office"  
+description: Learn about minimum version numbers for Baseline Security Mode settings
+author: kwekuako 
+ms.author: kwekua  
+manager:  dansimp
+ms.date: 08/13/2025  
+ms.topic: overview
+ms.service: microsoft-365-admin  
+ms.localizationpriority: medium
+ms.collection: RestrictedMode
+ms.custom: QuickDraft  
+ms.reviewer: kwekua
+audience: admin
+ai-usage: ai-assisted
+ROBOTS: NOINDEX, NOFOLLOW
+---
+
+# Minimum versions for Baseline Security Mode settings in Office
+
+As an admin, it's essential to ensure that your organization is using the correct version of Microsoft 365 apps to fully leverage Baseline Security Mode functionality. Baseline Security Mode settings in Office apps are implemented using Cloud Policy settings. This article provides information on the minimum version requirements for Baseline Security Mode functionality in Microsoft 365 for Windows. For more information, see [Baseline Security Mode settings](restricted-mode-mac.md).
+
+## Minimum version requirements
+
+The recommended minimum version for Baseline Security Mode functionality in Microsoft 365 for Windows is version 2508. Earlier versions do not support sending telemetry signals from Office clients to the Microsoft 365 admin center to display simulation mode data.
+
+### Baseline Security Mode settings and minimum required versions
+
+| Setting  | Minimum required version  |
+|-------------------------------------------------------------------------|----------------------------------------------------------------------------|
+| Open ancient legacy formats in Protected View and disallow editing  | 2506 [[1]](#footnote-1) |
+| Open old legacy formats in Protected View and save as modern format| 2506 [[1]](#footnote-1) |
+|Block ActiveX controls in the Microsoft 365 apps | Available in all currently supported versions of Microsoft 365 for Windows |
+| Block OLE Graph and OrgChart objects  | 2503  |
+| Block Dynamic Data Exchange (DDE) server launches in Excel | Available in all currently supported versions of Microsoft 365 for Windows |
+| Block Microsoft Publisher | 2504 |
+| Block Basic authentication prompts | Available in all currently supported versions of Microsoft 365 for Windows |
+| Block insecure protocols for file opens | 2507 |
+| Block FPRPC protocol for file opens | 2507 |
+
+###### Footnote 1
+
+All currently supported versions of Microsoft 365 for Windows support opening legacy formats in Protected View and enforcing File Block settings related to disallowing edit and/or preventing save in legacy formats. The minimum version to enforce the policy setting to not allow trusted files to bypass File Block settings is version 2502. The minimum version to enforce the policy setting to prevent external workbook links to blocked file types from refreshing is version 2506.
+
+## Office Cloud Policy service
+
+The [Baseline Security Mode settings](restricted-mode-mac.md) topic has details on which Cloud Policy settings support the Baseline Security Mode setting. Individual Cloud Policy settings can be used to modify Baseline Security Mode behavior. For example, allowing files in a specific old legacy format to bypass Protected View while continuing to open all other old legacy format files in Protected View, without turning off the entire Baseline Security Mode policy.
+
+> [!NOTE]
+> IIf you are managing Microsoft 365 apps using the Group Policy Editor, it is strongly recommended that you migrate to Cloud Policy service. When a policy is configured in both Group Policy and Cloud Policy, the Cloud Policy configuration will take precedence.