Table of Contents
Overview
Adding Trusted Locations and Trusted Network Locations
Configuring Policy through Microsoft 365 Apps admin center
Network Drive Mapping
Overview
Recent security changes in Microsoft Office may prevent macro-enabled documents from opening by default from network locations.
Adding specific network locations to the Trusted Locations list in Office will prevent macro security errors in documents. If the documents are opened from UNC paths, no further action is necessary, but if the documents are opened from drives mapped to IP addresses, the drives will need to be remapped to use UNC paths.
Trusted Locations can be managed per user or globally through management tools such as Microsoft Apps Admin or Group Policy Management. Group Policy Management is not covered in this article
Adding specific network locations to the Trusted Locations list in Office will prevent macro security errors in documents. If the documents are opened from UNC paths, no further action is necessary, but if the documents are opened from drives mapped to IP addresses, the drives will need to be remapped to use UNC paths.
Trusted Locations can be managed per user or globally through management tools such as Microsoft Apps Admin or Group Policy Management. Group Policy Management is not covered in this article
Adding Trusted Locations and Trusted Network Locations
Trusted Locations are managed in Microsoft Office Trust Center. To get to the Trust Center, open any Office software (except Outlook), click on the Files tab and select Options at the bottom of the screen.On the Trust Center tab, click on Trust Center Settings and navigate to Trusted Locations:
Check the Allow Trusted Locations on my network (not recommended) checkbox, and click on Add new location...
Enter the server and share name and check the checkbox Subfolders of this location are also trusted. Optionally, enter a description of this share.
Click on OK to save the new location, close the Trust Center Settings window and exit the Options dialog.
Restart the Office application so that the new settings take effect.
Configuring Policy through Microsoft 365 Apps admin center
⚠️ Before you can complete these steps, you need to create or verify the security group that will determine the users to whom this policy will apply.
Navigate to the Microsoft 365 Apps admin center at https://config.office.com/officeSettings/officePolicies and click on + Create. Enter the Policy name - for example Company Government Team Policy and an optional description, then click on Next.
In the Scope step, choose This policy configuration applies to users in the specified group, and choose the security group.
On the Configure Settings screen, look for "Trusted" to filter the list of available policies. You will see that there's a listing of Trusted Location #1 through #16, along with a few other related policies.
Choose Allow Trusted Locations on the network and switch setting to Manually configured, then select Enabled from the drop-down and click on Apply.
Now select Trusted Location #1 (or another number) and configure it to point to your network share in the Path field; set Allow sub folders: to Enabled. Click on Apply.
On the Configure Settings screen, click on Next, then review your settings and save them.
These settings are applied when the user signs into the Office application, and then evaluated periodically, depending on the situation. Please review the How the policy configuration is applied section of the Microsoft Cloud Policy Overview document for specifics.
Network Drive Mapping
If your documents are opened from the network via mapped drives, your current IP-based drives will need to be remapped using server names. If mapped manually, please delete existing drive and re-add it either using Windows File Explorer, or by using the following command prompt (assuming drive F is to be mapped to \\servername\filesharename). Run command line in administrative mode and enter:net use F: \\servername\filesharename /persistent:yesThis will set drive F to map consistently to the file share.
Drives can also be mapped via GPO logon scripts based on user group membership.