🎯 Purpose
✅ Enforce Essential Eight – User Application Hardening by blocking OLE package activation in Microsoft Office.
👥 Who is affected
✅ Devices: All Windows devices
🚫 Exclusions: None
➡️ Users cannot execute embedded OLE package objects in Office documents.
☁️ What access is protected
✅ Applications:
Microsoft Word
Microsoft Excel
Microsoft PowerPoint
➡️ Prevents execution of embedded package objects within Office files.
🔐 How hardening is enforced
✅ Enforced via an Intune device management script
✅ Runs as SYSTEM (32‑bit host)
✅ Sets PackagerPrompt = 2 in Office 16.0 security registry keys
➡️ OLE package activation is blocked for users.
ℹ️ Note:
This control targets OLE package objects, a common malware delivery mechanism in Office documents.
⚙️ What this policy does NOT enforce
🚫 Macro execution controls
🚫 Device compliance requirements
🚫 Browser or email filtering
🚫 Authentication restrictions
➡️ This policy focuses solely on blocking OLE package execution.
🟢 Policy status
✅ Enabled
✅ Enforced via Intune script execution
📘 Essential Eight Alignment
✅ Supports User Application Hardening (Maturity Levels 2–3)
✅ Reduces risk of malware execution via embedded Office content
ℹ️ Complements macro hardening and browser protection controls
📘 Practical Interpretation (Executive‑Friendly)
This policy ensures that:
✅ Embedded OLE package content cannot be executed
✅ Office documents cannot be used to launch hidden payloads
✅ A common malware delivery technique is blocked
This strengthens the organisation’s user application hardening posture and directly supports Essential Eight maturity uplift.