Hey everyone! I'm new to being an admin, so I'm hoping for some guidance here. While going through the security recommendations for Microsoft Defender, I stumbled upon the "Block Win32 API calls from Office macros" policy. I checked our group's policy settings and noticed that the GPO status for this setting is "Enabled". However, the scope indicates that "Enforced" is set to "No" while "Link Enabled" is "Yes". If I understand correctly, it should apply the policy across all PCs unless there's a local conflict.
I then checked one of the PCs flagged as vulnerable and used the command "gpresult /h C:\Users\USERNAMEHERE\Downloads\gpo.html" to generate a report. The report shows the "Block Win32 API..." policy under "Applied GPOs", but it says "Disabled" is set to "None". I'm confused about what that means. Shouldn't it indicate if the GPO is active in a clearer way, like "True/Yes" or "False/No"? Is there somewhere else I should look to confirm its activity? Oh, and by the way, I'd appreciate any thoughts on why the Windows Defender Admin site doesn't acknowledge this policy as being active on our PCs. Thanks for any insights, and I owe you a gratitude point for your help! 😀
1 Answer
Hey! So, the "Enforced" status deals with inheritance rules and precedence in group policies. If a policy is marked as "Enforced", it can't be blocked by lower-level policies — it means it takes priority. As for the "Disabled: None" part, it essentially indicates that neither part of the GPO (user or computer side) is disabled. If you see the policy listed under "Applied GPOs", it’s active on that PC.
That definitely clarifies things! I was uncertain if just being listed under "Applied GPOs" meant it was enabled or if it could be disabled for some other reason. But it's good to know that neither configuration part is turned off. Now if only the Windows Defender Admin center would recognize it as active too!