Trusted Locations for Office files

Trusted Locations for Office files is a Windows Group Policy setting located under User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Trusted Locations. It applies to the User Configuration branch and is classified as a Informational-level policy in the Microsoft Office / M365 Apps category.

Designates safe locations where Office files execute without security warnings. Reduces helpdesk tickets for legitimate business documents while maintaining security posture.

Microsoft sets the default value to Empty while industry security baselines (CIS, NIST, DISA STIG) recommend https://internal.company.com/safe-docs.

Under the hood, this policy is enforced through the Windows registry at HKCU\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Locations using the value name Location1. Modifying the value directly through regedit.exe or PowerShell produces the same effect as configuring the GPO, but going through Group Policy is preferred so that the setting is centrally managed and survives reboots, image rebuilds, and policy refresh cycles.

This is primarily an operational or user-experience setting. It does not directly raise or lower the security posture, but it standardizes behavior across the fleet, which is important for predictable support, training, and troubleshooting in an MSP-managed environment.

The policy is grouped under Microsoft Office / M365 Apps, which means it is typically applied through a domain-wide GPO linked at the OU level. In a multi-tenant MSP context, scope it through WMI filters or security group filtering rather than linking at the domain root, so that you can roll out progressively (pilot OU → wider rings → all production).

The setting takes effect after the next Group Policy refresh (gpupdate /force for immediate testing, or by default within ~90 minutes for workstations and ~5 minutes on domain controllers). For computer-side policies a reboot may be required; for user-side policies, a sign-off/sign-on cycle is enough.

1. Open Group Policy Management Console (gpmc.msc) on a domain controller or a workstation with RSAT installed.
2. Create or edit a GPO linked to the OU containing the target user configurations. We recommend a dedicated baseline GPO (e.g. SEC – Microsoft Office / M365 Apps) instead of editing Default Domain Policy.
3. Navigate to User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Trusted Locations.
4. Open Trusted Locations for Office files and set it to https://internal.company.com/safe-docs.
5. Click OK and close the editor.
6. On the target endpoint, run gpupdate /force (or wait for the next refresh cycle), then verify with rsop.msc or gpresult /h report.html.

Direct registry path: HKCU\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Locations\Location1. You can apply the same change with PowerShell:

New-Item -Path 'HKCU\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Locations' -Force | Out-Null
Set-ItemProperty -Path 'HKCU\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Locations' -Name 'Location1' -Value <value> -Type DWord