I have a bunch of group policy settings that need to be enforced on a lot of new Office 365 installations. I excitedly downloaded the Administrative Template files (ADMX/ADML) package, uploaded them to the Active Directory’s PolicyDefinitions folder, and opened up Group Policy Management, put in all the policies I want to push out.
Guess what? Out of the 6 policies I put in, only one of them gets pushed out. None of the other ones got applied.
The gpresult command line that checks the resulting set of policy settings enforced on the computer tells me all of them are pushed out from the Active Directory as they are supposed to. But why my Office 365 apps take none of them?
Turns out, something has changed since the release of Office 2013. All group policy settings pushed out from AD will be ignored on retail version of Office, including Microsoft 365 Business subscription. If you need a version that supports GPO, you need to get the volume license editions, or Microsoft 365 Business Premium, which is equivalent to Office 365 ProPlus. Essentially, you will need to pay more, a lot more, to get the functionality again.
I don’t find any official documents that state this requirement but I do tend to agree with this, as it’s exactly what happened in my case.
Workaround? Use Registry settings instead, not the ones under Policies key because those ones are already existed but are ignored, but the real ones under HKCU.
For example, if I need to Allow Trusted Locations on my network, I can open GPO editor on a specified GPO and go to
User Configuration > Preferences > Windows Settings > Registry
Right-click on the empty area at the right pane, choose New > Registry Item.
Select Create as Action, HKEY_CURRENT_USER as the Hive, with the following Key Path:
SOFTWARE\Microsoft\Office.0\Word\Security\Trusted Locations
Set a Value name as AllowNetworkLocation with a value data as 1 in REG_DWORD type.
You may also need to copy/paste to another item and change the action to Update to make sure the setting you put in is always intact.
It’s not as perfect as the ones pushed out via GPO but it works. If it gets changed during one session, it will get reset via next login.