[
  {
    "id": "RM-01-VBAWarnings-Word-160",
    "title": "Word macros disabled by policy (VBAWarnings=4) Office 16.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-02-BlockInternet-Word-160",
    "title": "Word: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Word\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-01-VBAWarnings-Excel-160",
    "title": "Excel macros disabled by policy (VBAWarnings=4) Office 16.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-02-BlockInternet-Excel-160",
    "title": "Excel: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Excel\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-01-VBAWarnings-PowerPoint-160",
    "title": "PowerPoint macros disabled by policy (VBAWarnings=4) Office 16.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-02-BlockInternet-PowerPoint-160",
    "title": "PowerPoint: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\PowerPoint\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-01-VBAWarnings-Outlook-160",
    "title": "Outlook macros disabled by policy (VBAWarnings=4) Office 16.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-02-BlockInternet-Outlook-160",
    "title": "Outlook: block macros from Internet (blockcontentexecutionfrominternet=1) Office 16.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Outlook\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-01-VBAWarnings-Word-150",
    "title": "Word macros disabled by policy (VBAWarnings=4) Office 15.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-02-BlockInternet-Word-150",
    "title": "Word: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Word\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-01-VBAWarnings-Excel-150",
    "title": "Excel macros disabled by policy (VBAWarnings=4) Office 15.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-02-BlockInternet-Excel-150",
    "title": "Excel: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Excel\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-01-VBAWarnings-PowerPoint-150",
    "title": "PowerPoint macros disabled by policy (VBAWarnings=4) Office 15.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-02-BlockInternet-PowerPoint-150",
    "title": "PowerPoint: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\PowerPoint\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-01-VBAWarnings-Outlook-150",
    "title": "Outlook macros disabled by policy (VBAWarnings=4) Office 15.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security'); foreach($p in $paths){} foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).VBAWarnings; if($null -ne $v -and [int]$v -eq 4){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-02-BlockInternet-Outlook-150",
    "title": "Outlook: block macros from Internet (blockcontentexecutionfrominternet=1) Office 15.0",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Outlook\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).blockcontentexecutionfrominternet; if($null -ne $v -and [int]$v -eq 1){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-03-MacroRuntimeScan-160",
    "title": "Macro runtime AV scanning configured (Office 16.0 common security)",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).MacroRuntimeScanScope; if($null -ne $v -and @('1','2') -contains ([string]$v)){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-03-MacroRuntimeScan-150",
    "title": "Macro runtime AV scanning configured (Office 15.0 common security)",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$paths=@('HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security','HKCU:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security'); foreach($p in $paths){ if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).MacroRuntimeScanScope; if($null -ne $v -and @('1','2') -contains ([string]$v)){ return $true } } } $false",
    "minLevel": "ML1"
  },
  {
    "id": "RM-TRUSTED-PUBLISHERS-160",
    "title": "Trusted Publishers enforcement present (Office 16.0)",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$p='HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\16.0\\Common\\Security'; if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).TrustedPublisher; if($null -ne $v -and [int]$v -eq 1){ return $true } } $false",
    "minLevel": "ML3"
  },
  {
    "id": "RM-TRUSTED-PUBLISHERS-150",
    "title": "Trusted Publishers enforcement present (Office 15.0)",
    "strategy": "RM",
    "type": "scriptblock",
    "script": "$p='HKLM:\\SOFTWARE\\Policies\\Microsoft\\Office\\15.0\\Common\\Security'; if(Test-Path $p){ $v=(Get-ItemProperty -Path $p -ErrorAction SilentlyContinue).TrustedPublisher; if($null -ne $v -and [int]$v -eq 1){ return $true } } $false",
    "minLevel": "ML3"
  }
]