Office 365 Business Group Policy
Disabling Group Policy from Office 365 Business users doesn't make a lot of sense to me. A lot of smaller- to medium-sized businesses which have an IT point person who does more than just IT, rely on tools like Group Policy to keep their users running cleanly and uniformly. While larger enterprises use Group Policy to eliminate having to perform the same customization on thousands of devices, small business use the same thing, not to save time managing thousands of devices, but to centralize efforts and increase efficiency when resources are scarce. I was disappointed to learn that all of my GPOs from before 365 are now entirely invalidated, especially after "joining up" in full and subscribing to Office 365, and after migrating from our on-prem. Exchange server to Exchange Online. It feels like a bit of a slap in the face, actually.
Microsoft is intensely focused on spinning up collaboration. They are not giving the necessary thought to administrators losing administrative controls and the impact of connecting everything to everything. Watch some webinars by a company called Varonis to see how completely kluged collaboration controls and security are
We're in the midst of a transition from Office 2010 to 365 Apps for Business and incredibly disappointed by this. Group Policy management is absolutely indispensable even for a lowly few dozen computers, let alone 200 or 300.
I thought the security and manageability of a business product were a big deal to Microsoft. Its removal is so arbitrary I'm inclined to think some bean counters chucked a few darts at a feature board to make their determination on how to differentiate it from Enterprise. Or maybe Apple is giving them advice these days.
Just thought I'd follow up on my previous comments...still dealing with this ridiculousness.
Interestingly enough, even people working for Microsoft haven't a clue about how broken ADMX/ADML is between the subscription levels/offerings.
It is now a mission of mine to call out those assigned with responsibilities for maintaining DOCS associated with native apps within the 365 portfolio. Each time I discover an entry that "suggests" a feature/function works across all platforms...Microsoft 365 Apps for Enterprise and Microsoft 365 Apps for Business...I am now referencing my feedback entries with a "suggestion" that it's inaccurate. For example: https://docs.microsoft.com/en-us/deployoffice/privacy/manage-privacy-controls#feedback
Even if I am incorrect (maybe, just maybe, this one setting within the Office ADMX/ADML actually works as intended), at least there will be numerous cross references pointing to the fact that it doesn't work in its entirety.
I have also located all "duplicate" ideas within UserVoice referencing the differences in ADMX/ADML between the subscription levels and have included a reference back to this one...if Microsoft refuses to acknowledge this as being a problem, steering everyone who's questioning/searching to the same entry (thank you, John Sauber) should garner enough traction and lead to a formal response to this issue.
It's only a matter of time before this idea gains enough attention...from old cronies like myself paying attention, to the new Office subscribers and/or admins looking for a way to protect the endponts/users, this will not seemingly resolve itself (oh, I wish it could).
@ Brad Bumgarner
Teams -- use the Office 365 ODT to stop it from being installed...then use GPO to keep it from running (if it ever makes its way onto any of your devices)...we've been doing this since the day Microsoft announced Teams would be included in the Office C2R deployments. So far, it's working.
Bing -- I could be wrong, but I think you can control this via the more recent Windows 10 ADMX.
Maybe someday, someone at Microsoft will read this and realize how shameful and embarrassing it is to prohibit the most fundamental/necessary of tool(s) from functioning in an aptly-named "business" product...whatever name they are calling it now (or in the future).
John Pell commented
Please at least include this with Microsoft 365 Business? Or let us use the Office Cloud Policy Service? Literally any option so that I can block macros across all our computers. Seriously. Just that setting. Please.
Besides shelling out another $7.50/month or running through a series of REGEDIT hacks (far too many problems with the solution provided by @Ican Hackett...it did work for quite a while, but at some point it became a HOT MESS for a dozen of our endpoints), what other options do we have? NONE. Thanks for the memories, Microsoft.
Brad Bumgarner commented
@ Icahn Hackett
I know this topic is quite old, but I'm curious if you've updated your custom templates to include other annoyances Microsoft has pushed with Office 365 Business in the last few years?
For instance, Microsoft Teams installing was announced as something that could be controlled by GPO in Office 365 ProPlus. Teams installs annoyingly with O365 Business.
Likewise, Microsoft has announced Bing as the default search for Chrome as pushing Feb 2020 to ProPlus and you can prevent it with GPO for ProPlus. I know this annoyance wil eventually appear in Office 365 Business.
This is ridiculous! The feature is there, but you're disabling it on certain account types. Why?
Arno Fink commented
I also agree with many other people here, that Office 365 Business (Premium) should work with ADMX-Templates. MS sells it as a business procuct and in a business environment (no matter of big or small business) with a on premise Server or DC the use of GPOs is standard and best practice.
Sometimes less is more and users of the O365 Business (Premium) plan want less not needed apps, but the basic instruments to manage their Windows network. In context to the european data protection regulation DSGVO and the discussion of O365 conformity to the DSGVO it is nearly indispensable to work with GPOs and make the systems data protection conform.
Microsoft and their useless intelligence! Erm who are Businesses you knumbskulls, Erm they are the huge part of your licensing income. Hey but wait GPO is available for extra £2 in Office 365 ProPlus. Note Microsoft leave out the word Business implying you don’t mean anything to them other than cash cows.
Interestingly I had Office 365 Business + GPO working up until September somehow, even using the “ADMX/ADML) for Office 365 ProPlus, Office 2019, and Office 2016“. After I updated my 365 offline installer and refreshed the ADMX files it no longer works. Stranger is my O365 on the same version using the same admin templates works but a new install won’t work!
I 100% agree here, this is the most ridiculous change that I've seen in a very long time. You can't call it a business product and take out a key tool built into all version of the same operating system you peddle. Utterly floored.
As M365 Business has gotten Shared Computer Activation (so able to use it on RDS environments), I wonder if GPO's are supported aswell? Without GPO support, RDS workloads (e.g. Windows Virtual Desktop) are hard to maintain.
Stephen Cracknell commented
Microsoft spends all of this time and energy making Microsoft 365 Business an attractive alternative to the O365 E3 license so they can sell the full stack but then they leave out a key feature like GPO for Office.
Why even go to all of the trouble of making a Microsoft 365 license for Business if it doesn't include a critical feature like GPO. If they want to go that route, just cap the number of users at 10 rather than 300.
@HansChristiansen I'd be interested in taking a look at that PowerShell script if you still have it!
It’s not just visual / functional settings that are affected by this, it could be a real security issue.
Being able to lock down locations that users could set as trusted for example. A user could set everywhere as trusted, negating any macro security settings.
Removing this in a product sold as Premium, and not clearly documenting it in the sales material, is not great from Microsoft
Brad Bumgarner commented
I agree with the other comments here, Office 365 Business should work with Group Policy. I should NOT have to find ad-hoc solutions for deploying registry files or writing Powershell scripts to make my small business environment manageable. I'm not trying to completely prevent updates. I deploy most updates within the first week they are released. I simply need to control when the updates occur so that employee's don't waste time waiting on an update - that wastes money. This is usually because an employee inadvertently started the update. I'm spending far too much time having to find solutions to control these updates. Microsoft is putting a huge strain on small to medium businesses that just want basic control.
Hans Christiansen commented
I ran into this issue as certain documents were unable to be opened due to them not being located in a "trusted location" - due to the way the call to open them is made Word or Excel will report them as being damaged.
It's an infuriating decision made by Microsoft and I join in the chorus of "what's the point of calling it a business subscription when it doesn't respect what is an inherent part of managing a business organsiation through an AD and associated GPO objects!"
Even more frustrating when the package through displaying boiler plate texts that Group Policies can exist lead one to believe that they should work but first by seeing a comment in a forum somewhere about which version of office is being used is focus turned to the licensing issues.
Information in the software like "Hej guys, just so you know there are policies in existence which I'm not going to respect due to you not paying as much as we want you to :-P"
Anyhow - as adversity is the mother of all invention plus in response to a comment posted lower down by amongst others "Lance Aughey" removing the policies will leave the "preferences" and will be left untouched following the removal I created a very crude but functional powershell script which will use the entries created by the tradition admx templates and mirror them into the users own settings for each of the products word and excel.
This script is run on login within in a separate gpo object of it's own and the idea is that it either adds, modifies or removes these trusted locations for word and excel plus the setting about "allowing trusted locations on the network". This is only performed if the version of Office is "Microsoft Office 365 Business". Maybe of interest to someone - send a message if so.
I want to disable macros because of Emotet via GPO in Office 365 Business (NOT ProPlus).
It is not possible??? In a business Product?
Could you please update your Office 365 Business Product to work with GPOs?
I agree. Some of us try to do more with less. We don't have some of the staffing that larger business have. I rely on group policy to make it easier on our tech support dept.
Our licenses are called "Business" - How businessy is it to remove a feature like this?!