Policy
Don’t ask permission before updating IncludePicture and IncludeText fields in Word
Microsoft Office
Policy overview
Key metadata and intent for this policy.
This policy setting allows you to control whether Word prompts the user with a security message before updating IncludePicture and IncludeText fields in the document. By default, the user is prompted with a security message before those fields are updated. But, the prompt might effect automated workflows that merge Word documents. Important: Fields that contain IncludePicture and IncludeText references can be used for data exfiltration or phishing exploits. A field containing these references can be modified to point to external websites for content. If credentials are required for accessing the picture or text, the process of updating the field will request a sign-in from the user. While this is a legitimate scenario for trusted sources, it is vulnerable to phishing if the document is not from a trusted source. If you enable this policy setting, the user won’t be prompted with a security message before those fields are updated. Enabling this policy setting is not recommended because of the possible security implications. If you disable or don’t configure this policy setting, the user will be prompted with a security message before those fields are updated.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
| User | Path software\policies\microsoft\office\16.0\word\security Value name disablewarningonincludefieldsupdate | REG_DWORD | HKCU 1 | HKCU 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.