Block additional file extensions for OLE embedding

This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise, and to subscription versions of Project and Visio.​

This policy setting allows you to specify additional file extensions that Office will block when they are embedded as an OLE package in an Office file by using the Object Packager control.

By default, Office blocks certain file extensions. For a list of those file extensions, go to

Important: Malicious scripts and executables can be embedded as an OLE package and can cause harm if clicked by the user.

If you enable this policy setting, enter the additional file extensions to block, separated by semicolons. For example, py;rb.

If you disable or don't configure this policy setting, the default set of file extensions will be blocked.

If you want to allow certain file extensions, enable the "Allow file extensions for OLE embedding" policy setting. Extensions added to this policy setting will take precedence over extensions in "Allow file extensions for OLE embedding"

Supported on: At least Windows 7

File extensions:

Registry Pathsoftware\policies\microsoft\office\common\security
Value Nameblockedextensions
Value TypeREG_SZ
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)