Objective: suppress the first‑run experience and trust bar prompts while keeping security policies intact.

Key controls

  • Office ADMX: DisableFirstRunCustomize and HideFirstRunMovie.
  • Outlook ADMX: set Automatically configure profile based on Active Directory Primary SMTP address and Default account where applicable.
  • Cloud policy via Microsoft 365 Apps admin center for roaming scenarios.
  • Use Intune Device Configuration (Administrative Templates) for consistency in SOE.

Suppress trust bar without disabling protections

Set macro posture to Disable with notification and trust VBA for signed macros only. Use Attack Surface Reduction (ASR) rules and maintain Protected View for files from the internet.

Automation

reg add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v ShownFirstRunOptin /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v ShownFileFmtPrompt /t REG_DWORD /d 1 /f

Apply via Intune PowerShell script at sign‑in, or use a proactive remediation pair for robustness.