Share via

Why do .xls files open on unmanaged Windows 11 Home but are blocked on managed Windows 11 Enterprise via Intune?

Daniel Kersey 0 Reputation points
2025-09-27T00:18:54.2566667+00:00

Hi Microsoft / Community — I’m encountering what appears to be a policy conflict, and I want to confirm whether this is an OS limitation or a configuration issue.

 

Environment / scenario:

  • Devices: Windows 11 Enterprise, Azure AD joined, Intune managed
  • Behavior: Legacy Excel .xls files fail to open (or are blocked) by default
  • Contrast: The same .xls files open successfully on unmanaged Windows 11 Home or non-managed machines
  • Registry evidence:

HKCU\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock 

xl97workbooks = 2 (“Do not open”) 

xl97workbooksandtemplates = 2 (“Do not open”) 

  • These keys are locked (cannot be edited locally).
  • Intune console: Reports that “Allow Office Doc ’97 files” policy has been applied successfully
  • Outcome: The “block” setting persists in practice across all managed machines — policy seems not overridden by the “allow” rule

Questions:

  1. Does Windows 11 Enterprise inherently block .xls files, even without policy enforcement?
  2. If the allow policy is applied but the “do not open” registry values remain, what higher-level policy or Intune baseline would override the allow rule?
  3. What configuration (GPO, Intune, baseline) is supported by Microsoft to guarantee .xls files open properly across all managed devices without requiring manual workarounds?

I appreciate any definitive clarifications or references to internal documentation.

Thank you. Hi Microsoft / Community — I’m encountering what appears to be a policy conflict, and I want to confirm whether this is an OS limitation or a configuration issue.

Environment / scenario:

  • Devices: Windows 11 Enterprise, Azure AD joined, Intune managed
  • Behavior: Legacy Excel .xls files fail to open (or are blocked) by default
  • Contrast: The same .xls files open successfully on unmanaged Windows 11 Home or non-managed machines
  • Registry evidence:

HKCU\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock 

xl97workbooks = 2 (“Do not open”) 

xl97workbooksandtemplates = 2 (“Do not open”) 

  • These keys are locked (cannot be edited locally).
  • Intune console: Reports that “Allow Office Doc ’97 files” policy has been applied successfully
  • Outcome: The “block” setting persists in practice across all managed machines — policy seems not overridden by the “allow” rule

Questions:

  1. Does Windows 11 Enterprise inherently block .xls files, even without policy enforcement?
  2. If the allow policy is applied but the “do not open” registry values remain, what higher-level policy or Intune baseline would override the allow rule?
  3. What configuration (GPO, Intune, baseline) is supported by Microsoft to guarantee .xls files open properly across all managed devices without requiring manual workarounds?

 

I appreciate any definitive clarifications or references to internal documentation.

 

Thank you.

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerald Felix 9,835 Reputation points
    2025-11-20T16:43:22.51+00:00

    Hello Daniel Kersey,

    Thanks for raising this question in Q&A forum.

    I understand that your unmanaged Windows 11 Home devices can open legacy .xls (Excel 97-2003) files, while your managed Windows 11 Enterprise devices block them, despite an Intune policy appearing to "Allow" them. The registry on the managed devices shows xl97workbooks = 2 ("Do not open").

    This is almost certainly not an inherent OS difference between Home vs. Enterprise, but rather a conflict between Security Baselines and your specific Intune configuration policy.

    Here is the breakdown of the issue:

    Root Cause: Security Baselines vs. Settings Catalog

    You likely have a Microsoft 365 Apps Security Baseline (or a general Windows Security Baseline) deployed via Intune to your managed devices.

    • The Baseline Wins: Security Baselines are distinct from standard configuration profiles. They often set the "File Block Settings" for legacy formats (like Excel 97) to Block by default to mitigate security risks associated with older binary formats.
    • The Conflict: Even if you deploy a separate Settings Catalog policy to "Allow" these files, the Security Baseline often takes precedence or causes a conflict that results in the restrictive setting (= 2) remaining active.

    Why Unmanaged Devices Work

    Your unmanaged Windows 11 Home devices do not receive these Intune Security Baselines. By default, a fresh installation of Office/Microsoft 365 Apps allows .xls files to open (often in "Protected View"), whereas the enterprise baseline explicitly hard-blocks them.

    Solution: Modify the Security Baseline

    To resolve this on your managed devices without manual registry hacks:

    1. Locate the Baseline: Go to Intune admin center > Endpoint security > Security baselines.
    2. Check Office/M365 Baseline: Look for "Microsoft 365 Apps for Enterprise Security Baseline" (or similar).
    3. Edit the Profile: Open your active profile and go to Configuration settings.
    4. Search for "File Block": Look for settings related to "Excel File Block settings" or "Legacy File Formats".
    5. Change Setting: Find the setting for "Excel 97-2003 Workbooks" and change it from "Block" (or "Not Configured" if the default is block) to "Do not block" (or "Open in Protected View").
    6. Save & Sync: Save the baseline and force a sync on a test device.

    Once the baseline is updated, the registry key xl97workbooks should revert to 0 (Allow) or 1 (Protected View), allowing the files to open.

    If helps, approve the answer.

    Best Regards,

    Jerald Felix

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.