How to auto block macros in Microsoft Office docs from the internet

With Microsoft temporarily rolling back a feature that automatically blocks macros in Microsoft Office files downloaded from the Internet, it is essential to learn how to configure this security setting manually. This article will explain why users should block macros in Internet downloads and how you can block them in Microsoft Office.

A common distribution method used by some of the most notorious malware, including Emotet, Dridex, Qbot, and RedLine stealer, is to send phishing emails containing malicious Word or Excel documents with macros that install the malware on the target’s devices.

To prevent this distribution method, Microsoft announced in February that Microsoft Office would automatically block VBA macros in documents downloaded from the Internet starting in June.

This announcement was met with resounding support from many Windows admins, cybersecurity professionals, and end-users who saw it as having a significant impact on the security of Windows.

However, soon after the feature went live in June, Microsoft suddenly and without any real explanation rolled back this change, leaving Windows and Microsoft Office users once again at risk from Office documents with malicious macros.

While the rollback is only temporary until customer concerns are addressed, the good news is that you can manually enable this feature on your devices using group policies.

Understanding the Mark-of-the-Web

Before we explain how to automatically block macros in Microsoft Office files downloaded from the Internet, it is essential to understand a Windows feature called the ‘Mark-of-the-Web’.

The Mark-of-the-Web is a special NTFS alternate data stream added to downloaded files that tells Windows and supporting applications, such as Microsoft Office, that the file was downloaded from the Internet and should be considered risky to open.

When a file has a Mark-of-the-Web, and you try to open it, Windows will display additional warnings to the user, asking if they are sure they wish to run the file.

Microsoft Office will also check for a Mark-of-the-Web, and if found, open the document in Protected View, warning that the document can contain viruses.

However, if you have ever managed Windows devices, you will know that these warnings are commonly ignored, leading to a device becoming infected and a network becoming compromised.

Blocking macros in Internet documents

Since 2016, Microsoft has had a Microsoft Office group policy called ‘Block macros from running Office files from the Internet that will automatically prevent macros from running on documents containing a ‘Mark-of-the-Web.’

While not as pretty as the new feature that Microsoft rolled back, it performs the same functionality of blocking macros on all downloaded Office documents.

To enable this policy, you can download and install the Microsoft Office group policies and configure the ‘Block macros from running Office files from the Internet’ policy for each application you would like to secure.

To automatically block macros in Microsoft Office files downloaded from the Internet, navigate to the ‘Block macros from running Office files from the Internet’ policy for the application you want to secure and set the policy to Enabled.

Once this policy is enabled, a new Registry value named ‘blockcontentexecutionfrominternet‘ will be set to ‘1‘ under the HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftoffice[office version][office application]security key.

For example, when configuring this policy for Microsoft Word, Windows will create the following Registry value:

With this policy enabled, when you attempt to open a Word document with macros that were downloaded from the Internet and enable macros, and you disabled Protected View, you will see a warning stating, “BLOCKED CONTENT Macros in this document have been disabled by your enterprise administrator for security reasons.”

If you trust this document and know it is safe, you can remove the Mark-of-the-Web by going into the file’s properties, clicking the Unblock button in the security section, and then press the Apply button, as shown below.

Once you Unblock the file, or remove its Mark-of-the-Web, macros can once again be executed when you open that particular document.

It needs to be reiterated that you should only remove the Mark-of-the-Web from documents you know are 100% trustworthy.

With this policy, you can now achieve the same level of protection as Microsoft’s rolled-back feature. Furthermore, if your organization has a problem blocking all Macros, it is possible to configure ‘Trusted Locations’ where users can save documents and not have macros blocked.

Microsoft also provides various documentation on configuring this policy and creating Trusted Locations, which are recommended to be read by all Windows admins.

---

— Update: 17-03-2023 — us.suanoncolosence.com found an additional article How to Prevent or Block Macros from running in Microsoft Office files from the website www.thewindowsclub.com for the keyword block macro malware microsoft office.

You can block Macros and consequently, Macro viruses or Macro targeted malware files, from the Internet, from opening & running automatically in your Microsoft Office programs like Word, Excel, or PowerPoint documents using Group Policy or Registry Editor in Windows 11/10.

Office Macros are basically small bits of code written in Visual Basic (VBA), that allow you to carry out select repetitive tasks. They are useful by themselves, but many times malware writers misuse this functionality to introduce malware into your computer system.

A Macro virus is a virus that takes advantage of Macros that run in Microsoft Office applications such as Microsoft Word, PowerPoint, or Excel. Cybercriminals send you a macro-infested payload or a file that will, later on, download a malicious script, via email and use a subject line that interests or provokes you into opening the document. When you open the document, a macro runs to execute whatever the task the criminal wants.

Microsoft has disabled the Macro functioning by default. It has now set the default settings in Office to Disable all macros with notification. That is, no macro would run in Microsoft Word until you allow it to run, since the files are now open in Protected View.

Macro-based malware has made a comeback and is again on the rise. Microsoft has therefore rolled out a new Group Policy update to all Office clients on the network that blocks Internet originating macros from loading, in high-risk scenarios, and thus helps enterprise administrators prevent the risk of macros.

Read: How to remove Macro virus.

Block Macros from running in Office files using Group Policy

To enable this policy setting, Run gpedit.msc and navigate to the following setting:

Double-click on Block macros from running in Office files from the Internet setting, Enable it.

Prevent Macros from running in Microsoft Office using Registry

To prevent Macros from running in Microsoft Office using Registry, follow these steps:

1. Press Win+R to open the Run prompt.
2. Type regedit > press the Enter button > click the Yes button.
3. Navigate to Microsoftoffice16.0 in HKCU.
4. Right-click on 0 > New > Key and name it as word.
5. Right-click on word > New > Key and set the name as security.
6. Right-click on security > New > DWORD (32-bit) Value.
7. Set the name as blockcontentexecutionfrominternet.
8. Double-click on it to set the Value data as 1.
9. Click the OK button and restart your computer.

To learn more about these steps, continue reading.

Then, navigate to this path:

HKEY_CURRENT_USERSoftwarePoliciesMicrosoftoffice16.0

Double-click on it to set the Value data as 1 and click the OK button.

Finally, restart your computer to apply the change. However, if you want to revert the change and apply the default setting, you need to delete the blockcontentexecutionfrominternet REG_DWORD value. To do that, right-click on it, select the Delete option, and click the Yes button.

There has been a jump in the incidence of Macro Virus, using email as well as social engineering, so you want to exercise caution and stay safe at all times!

Related read: What is Macro Virus? How to enable or disable Macros in Office, stay safe from & remove Macro Virus?

How do I stop macros from running in Office files from the Internet?

There are two ways to stop macros from running in Office files from the internet – using the Local Group Policy Editor and the Registry Editor. Both methods are mentioned above, and you can follow either of them. However, you need to install the administrator templates for Office if you want to use the GPEDIT method.

How do I disable macros in Excel GPO?

---

— Update: 19-03-2023 — us.suanoncolosence.com found an additional article Macros from the internet will be blocked by default in Office from the website learn.microsoft.com for the keyword block macro malware microsoft office.

VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet.

With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, the following message will be displayed:

The Learn More button goes to an article for end users and information workers that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros (if absolutely needed).

Read also:

• The VSS service is shutting down due to idle timeout
• How to Secure Your Facebook Account
• Fixed – Your Battery Has Experienced Permanent Failure [MiniTool Tips]
• Use SysKey Utility to lock Windows computer using USB stick
• [FIXED] ‘Something went Wrong. Try to reopen Settings later’ in Windows 10 Update

In some cases, users will also see the message if the file is from a location within your intranet that’s not identified as being trusted. For example, if users are accessing files on a network share by using the share’s IP address. For more information, see Files centrally located on a network share or trusted website.

Article post on: us.suanoncolosence.com

Prepare for this change

To prepare for this change, we recommend that you work with the business units in your organization that use macros in Office files that are opened from locations such as intranet network shares or intranet websites. You’ll want to identify those macros and determine what steps to take to keep using those macros. You’ll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher.

Also, review the following information:

Preparation action	More information
Understand which version in each update channel has this change	Versions of Office affected by this change
See a flow chart of the process Office takes to determine whether to run macros in a file	How Office determines whether to run macros in files from the internet
Identify files with VBA macros that might be blocked using the Readiness Toolkit	Use the Readiness Toolkit to identify files with VBA macros that might be blocked
Learn about policies that you can use to control VBA macro execution	Use policies to manage how Office handles macros

Steps to take to allow VBA macros to run in files that you trust

How you allow VBA macros to run in files that you trust depends on where those files are located or the type of file.

The following table list different common scenarios and possible approaches to take to unblock VBA macros and allow them to run. You don’t have to do all possible approaches for a given scenario. In the cases where we have listed multiple approaches, pick the one that best suits your organization.

Scenario	Possible approaches to take
Individual files	• Select the Unblock checkbox on the General tab of the Properties dialog for the file • Use the Unblock-File cmdlet in PowerShell For more information, see Remove Mark of the Web from a file.
Files centrally located on a network share or trusted website	Unblock the file using an approach listed under “Individual files.” If there isn’t an Unblock checkbox and you want to trust all files in that network location: • Designate the location as a Trusted site • Add the location to the Local intranet zone For more information, see Files centrally located on a network share or trusted website.
Files stored on OneDrive or SharePoint, including a site used by a Teams channel	• Have users directly open the file by using the Open in Desktop App option • If users download the file locally before opening it, remove Mark of the Web from the local copy of the file (see the approaches under “Individual files”) • Designate the location as a Trusted site For more information, see Files on OneDrive or SharePoint.
Macro-enabled template files for Word, PowerPoint, and Excel	If the template file is stored on the user’s device: • Remove Mark of the Web from the template file (see the approaches under “Individual files”) • Save the template file to a Trusted Location If the template file is stored on a network location: • Use a digital signature and trust the publisher • Trust the template file (see the approaches under “Files centrally located on a network share or trusted website”) For more information, see Macro-enabled template files for Word, PowerPoint, and Excel.
Macro-enabled add-in files for PowerPoint	• Remove Mark of the Web from the Add-in file • Use a digital signature and trust the publisher • Save the Add-in file to a Trusted Location For more information, see Macro-enabled add-in files for PowerPoint and Excel.
Macro-enabled add-in files for Excel	• Remove Mark of the Web from the Add-in file • Save the Add-in file to a Trusted Location For more information, see Macro-enabled add-in files for PowerPoint and Excel.
Macros that are signed by a trusted publisher	• [recommended] Deploy the public code-signing certificate for the trusted publisher to your users and prevent your users from adding trusted publishers themselves. • Remove Mark of the Web from the file, and have the user add the publisher of the macro as a trusted publisher. For more information, see Macros that are signed by a trusted publisher.
Groups of files saved to folders on the user’s device	Designate the folder a Trusted Location For more information, see Trusted Locations.

Versions of Office affected by this change

This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word.

The following table shows when this change became available in each update channel.

Update channel	Version	Date
Current Channel (Preview)	Version 2203	Started rolling out on April 12, 2022
Current Channel	Version 2206	Started rolling out on July 27, 2022
Monthly Enterprise Channel	Version 2208	October 11, 2022
Semi-Annual Enterprise Channel (Preview)	Version 2208	October 11, 2022
Semi-Annual Enterprise Channel	Version 2208	January 10, 2023

The change doesn’t affect Office on a Mac, Office on Android or iOS devices, or Office on the web.

How Office determines whether to run macros in files from the internet

The following flowchart graphic shows how Office determines whether to run macros in a file from the internet.

The following steps explain the information in the flowchart graphic, except for Excel Add-in files. For more information about those files, see Macro-enabled add-in files for PowerPoint and Excel. Also, if a file is located on a network share that isn’t in the Local intranet zone or isn’t a trusted site, macros will be blocked in that file.

1. A user opens an Office file containing macros obtained from the internet. For example, an email attachment. The file has Mark of the Web (MOTW).

1. If the file is from a Trusted Location, the file is opened with the macros enabled. If the file isn’t from a Trusted Location, the evaluation continues.

2. If the macros are digitally signed and the matching Trusted Publisher certificate is installed on the device, the file is opened with the macros enabled. If not, then the evaluation continues.

3. Policies are checked to see if macros are allowed or blocked. If the policies are set to Not Configured, the evaluation continues to Step 6.

5. If the user had previously opened the file, before this change in default behavior, and had selected Enable content from the Trust Bar, then the macros are enabled because the file is considered trusted.

1. This step is where the change to the default behavior of Office takes effect. With this change, macros in files from the internet are blocked and users will see the Security Risk banner when they open the file.

Guidance on allowing VBA macros to run in files you trust

Remove Mark of the Web from a file

For an individual file, such as a file downloaded from an internet location or an email attachment the user has saved to their local device, the simplest way to unblock macros is to remove Mark of the Web. To remove, right-click on the file, choose Properties, and then select the Unblock checkbox on the General tab.

You can also use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file. For more information about the ZoneId value, see Mark of the Web and zones.

Source: us.suanoncolosence.com

Files centrally located on a network share or trusted website

If you have your users access files from a trusted website or an internal file server, you can do either of the following steps so that macros from those locations won’t be blocked.

• Designate the location as a Trusted site
• If the network location is on the intranet, add the location to the Local intranet zone

For example, if users are accessing a network share by using its IP address, macros in those files will be blocked unless the file share is in the Trusted sites or the Local intranet zone.

For example, you could add a file server or network share as a trusted site, by adding its FQDN or IP address to the list of trusted sites.

If you want to add URLs that begin with http:// or network shares, clear the Require server verification (https:) for all sites in this zone checkbox.

You can use Group Policy and the “Site to Zone Assignment List” policy to add locations as trusted sites or to the Local intranet zone for Windows devices in your organization. This policy is found under Windows ComponentsInternet ExplorerInternet Control PanelSecurity Page in the Group Policy Management Console. It’s available under both Computer ConfigurationPoliciesAdministrative Templates and User ConfigurationPoliciesAdministrative Templates.

Files on OneDrive or SharePoint

• If a user selects Open in Desktop App in a file opened from the OneDrive website or from a SharePoint site (including a site used by a Teams channel), then the file won’t have Mark of the Web.

• If a user has the OneDrive sync client running and the sync client downloads a file, then the file won’t have Mark of the Web.

• Files that are in Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll), and are synced to OneDrive, don’t have Mark of the Web.

• If you have a group of users, such as the Finance department, that need to use files from OneDrive or SharePoint without macros being blocked, here are some possible options:

  • Have them open the file by using the Open in Desktop App option

  • Have them download the file to a Trusted Location.

  • Set the Windows internet security zone assignment for OneDrive or SharePoint domains to Trusted Sites. Admins can use the “Site to Zone Assignment List” policy and configure the policy to place https://{your-domain-name}.sharepoint.com (for SharePoint) or https://{your-domain-name}-my.sharepoint.com (for OneDrive) into the Trusted Sites zone.

    • This policy is found under Windows ComponentsInternet ExplorerInternet Control PanelSecurity Page in the Group Policy Management Console. It’s available under both Computer ConfigurationPoliciesAdministrative Templates and User ConfigurationPoliciesAdministrative Templates.

    • SharePoint permissions and OneDrive sharing aren’t changed by adding these locations to Trusted Sites. Maintaining access control is important. Anyone with permissions to add files to SharePoint could add files with active content, such as macros. Users who download files from domains in the Trusted Sites zone will bypass the default to block macros.

Macro-enabled template files for Word, PowerPoint, and Excel

Macro-enabled template files for Word, PowerPoint, and Excel that are downloaded from the internet will have Mark of the Web. For example, template files with the following extensions:

• .dot
• .dotm
• .pot
• .potm
• .xlt
• .xltm

When the user opens the macro-enabled template file, the user will be blocked from running the macros in the template file. If the user trusts the source of the template file, they can remove Mark of the Web from the template file, and then reopen the template file in the Office app.

If you have a group of users that need to use macro-enabled templates without macros being blocked, you can take either of the following actions:

• Use a digital signature and trust the publisher.
• If you’re not using digital signatures, you can save the template file to a Trusted Location and have users get the template file from that location.

Macro-enabled add-in files for PowerPoint and Excel

Macro-enabled Add-in files for PowerPoint and Excel that are downloaded from the internet will have Mark of the Web. For example, Add-in files with the following extensions:

• .ppa
• .ppam
• .xla
• .xlam

If you have a group of users that need to use macro-enabled Add-in files without macros being blocked, you can take the following actions.

For PowerPoint Add-in files:

• Remove Mark of the Web from the .ppa or .ppam file.
• Use a digital signature and trust the publisher.
• Save the Add-in file to a Trusted Location for users to retrieve.

For Excel Add-in files:

• Remove Mark of the Web from the .xla or .xlam file.
• Save the Add-in file to a Trusted Location for users to retrieve.

Macros that are signed by a trusted publisher

If the macro is signed and you’ve validated the certificate and trust the source, you can make that source a trusted publisher. We recommend, if possible, that you manage trusted publishers for your users. For more information, see Trusted publishers for Office files.

If you have just a few users, you can have them remove Mark of the Web from the file and then add the source of the macro as a trusted publisher on their devices.

Trusted Locations

Saving files from the internet to a Trusted Location on a user’s device ignores the check for Mark of the Web and opens with VBA macros enabled. For example, a line of business application could send reports with macros on a recurring basis. If files with macros are saved to a Trusted Location, users won’t need to go to the Properties for the file, and select Unblock to allow the macros to run.

Because macros aren’t blocked in files saved to a Trusted Location, you should manage Trusted Locations carefully and use them sparingly. Network locations can also be set as a Trusted Location, but it’s not recommended. For more information, see Trusted Locations for Office files.

Additional information about Mark of the Web

Mark of the Web and Trusted Documents

When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. Currently, when a user opens a file with Mark of the Web, a SECURITY WARNING banner appears, with an Enable content button. If the user selects Enable content, the file is considered a Trusted Document, and macros are allowed to run. The macros will continue to run even after the change of default behavior to block macros in files from the internet is implemented, because the file is still considered a Trusted Document.

Via @: us.suanoncolosence.com

After the change of default behavior to block macros in files from the internet, users will see a different banner the first time they open a file with macros from the internet. This SECURITY RISK banner doesn’t have the option to Enable content. But users will be able to go to the Properties dialog for the file, and select Unblock, which will remove Mark of the Web from the file and allow the macros to run, as long as no policy or Trust Center setting is blocking.

Read more:

• The 10 Best IRC Clients For Windows, Mac, and Linux
• Change Chrome Cache Size In Windows 10
• 5 Quick Ways to Fix Steam Error Code 105 [Store, Library]
• Manage Certs with Windows Certificate Manager and PowerShell
• The Different Types of Internet Cookies Explained

Mark of the Web and zones

By default, Mark of the Web is added to files only from the Internet or Restricted sites zones.

You can view the ZoneId value for a file by running the following command at a command prompt, and replacing {name of file} with your file name.

notepad {name of file}:Zone.Identifier 

When you run this command, Notepad will open and display the ZoneId under the [ZoneTransfer] section.

Here’s a list of ZoneId values and what zone they map to.

• 0 = My Computer
• 1 = Local intranet
• 2 = Trusted sites
• 3 = Internet
• 4 = Restricted sites

For example, if the ZoneId is 2, VBA macros in that file won’t be blocked by default. But if the ZoneId is 3, macros in that file will be blocked by default.

You can use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file.

Use the Readiness Toolkit to identify files with VBA macros that might be blocked

To identify files that have VBA macros that might be blocked from running, you can use the Readiness Toolkit for Office add-ins and VBA, which is a free download from Microsoft.

The Readiness Toolkit includes a standalone executable that can be run from a command line or from within a script. You can run the Readiness Toolkit on a user’s device to look at files on the user’s device. Or you can run it from your device to look at files on a network share.

When you run the standalone executable version of the Readiness Toolkit, a JSON file is created with the information collected. You’ll want to save the JSON files in a central location, such as a network share. Then you’ll run the Readiness Report Creator, which is a UI wizard version of the Readiness Toolkit. This wizard will consolidate the information in the separate JSON files into a single report in the form of an Excel file.

To identify files that might be impacted by using the Readiness Toolkit, follow these basic steps:

1. Download the most current version of the Readiness Toolkit from the Microsoft Download Center. Make sure you’re using at least Version 1.2.22161, which was released on June 14, 2022.

2. Install the Readiness Toolkit.

3. From a command prompt, go to the folder where you installed the Readiness Toolkit and run the ReadinessReportCreator.exe command with the blockinternetscan option.

   For example, if you want to scan files in the c:officefiles folder (and all its subfolders) on a device and save the JSON file with the results to the Finance share on Server01, you can run the following command.

ReadinessReportCreator.exe -blockinternetscan -p c:officefiles -r -output server01finance -silent 

1. After you’ve done all your scans, run the Readiness Report Creator.
2. On the Create a readiness report page, select Previous readiness results saved together in a local folder or network share, and then specify the location where you saved all the files for the scans.
3. On the Report settings page, select Excel report, and then specify a location to save the report.
4. When you open the report in Excel, go to the VBA Results worksheet.
5. In the Guideline column, look for Blocked VBA file from Internet.

For more detailed information about using the Readiness Toolkit, see Use the Readiness Toolkit to assess application compatibility for Microsoft 365 Apps.

Use policies to manage how Office handles macros

You can use policies to manage how Office handles macros. We recommend that you use the Block macros from running in Office files from the Internet policy. But if that policy isn’t appropriate for your organization, the other option is the VBA Macro Notification Settings policy.

For more information on how to deploy these policies, see Tools available to manage policies.

Block macros from running in Office files from the Internet

This policy prevents users from inadvertently opening files containing macros from the internet. When a file is downloaded to a device running Windows, or opened from a network share location, Mark of the Web is added to the file identifying it was sourced from the internet.

We recommend enabling this policy as part of the security baseline for Microsoft 365 Apps for enterprise. You should enable this policy for most users and only make exceptions for certain users as needed.

There’s a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User ConfigurationPoliciesAdministrative Templates:

Application	Policy location
Access	Microsoft Access 2016Application SettingsSecurityTrust Center
Excel	Microsoft Excel 2016Excel OptionsSecurityTrust Center
PowerPoint	Microsoft PowerPoint 2016PowerPoint OptionsSecurityTrust Center
Visio	Microsoft Visio 2016Visio OptionsSecurityTrust Center
Word	Microsoft Word 2016Word OptionsSecurityTrust Center

Which state you choose for the policy determines the level of protection you’re providing. The following table shows the current level of protection you get with each state, before the change in default behavior is implemented.

Icon	Protection level	Policy state	Description
	Protected [recommended]	Enabled	Users will be blocked from running macros in files obtained from the internet. Part of the Microsoft recommended security baseline.
	Not protected	Disabled	Will respect the settings configured under File > Options > Trust Center > Trust Center Settings… > Macro Settings.
	Not protected	Not Configured	Will respect the settings configured under File > Options > Trust Center > Trust Center Settings… > Macro Settings.

After we implement the change to the default behavior, the level of protection changes when the policy is set to Not Configured.

Icon	Protection level	Policy state	Description
	Protected	Not Configured	Users will be blocked from running macros in files obtained from the internet. Users will see the Security Risk banner with a Learn More button

VBA Macro Notification Settings

If you don’t use the “Block macros from running in Office files from the Internet” policy, you can use the “VBA Macro Notification Settings” policy to manage how macros are handled by Office.

This policy prevents users from being lured into enabling malicious macros. By default, Office is configured to block files that contain VBA macros and display a Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but can’t use any disabled functionality until they select Enable Content on the Trust Bar. If the user selects Enable Content, then the file is added as a Trusted Document and macros are allowed to run.

There’s a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User ConfigurationPoliciesAdministrative Templates:

Application	Policy location
Access	Microsoft Access 2016Application SettingsSecurityTrust Center
Excel [1]	Microsoft Excel 2016Excel OptionsSecurityTrust Center
PowerPoint	Microsoft PowerPoint 2016PowerPoint OptionsSecurityTrust Center
Visio	Microsoft Visio 2016Visio OptionsSecurityTrust Center
Word	Microsoft Word 2016Word OptionsSecurityTrust Center

Which state you choose for the policy determines the level of protection you’re providing. The following table shows the level of protection you get with each state.

Icon	Protection level	Policy state	Policy value
	Protected [recommended]	Enabled	Disable all except digitally signed macros (and select “Require macros to be signed by a trusted publisher”)
	Protected	Enabled	Disable all without notification
	Partially protected	Enabled	Disable all with notification
	Partially protected	Disabled	(Same behavior as “Disable all with notification”)
	Not protected	Enabled	Enable all macros (not recommended)

The following table shows the choices users can make under Macro Settings and the level of protection each setting provides.

Icon	Protection level	Setting chosen
	Protected	Disable all macros except digitally signed macros
	Protected	Disable all macros without notification
	Partially protected	Disable all macros with notification (default)
	Not protected	Enable all macros (not recommended; potentially dangerous code can run)

Tools available to manage policies

There are several tools available to you to configure and deploy policy settings to users in your organization.

• Cloud Policy
• Microsoft Intune admin center
• Group Policy Management Console

Cloud Policy

You can use Cloud Policy to configure and deploy policy settings to devices in your organization, even if the device isn’t domain joined. Cloud Policy is a web-based tool and is found in the Microsoft 365 Apps admin center.

In Cloud Policy, you create a policy configuration, assign it to a group, and then select policies to be included in the policy configuration. To select a policy to include, you can search by the name of the policy. Cloud Policy also shows which policies are part of the Microsoft recommended security baseline. The policies available in Cloud Policy are the same User Configuration policies that are available in the Group Policy Management Console.

For more information, see Overview of Cloud Policy service for Microsoft 365.

Microsoft Intune admin center

In the Microsoft Intune admin center, you can use either the Settings catalog (preview) or Administrative Templates to configure and deploy policy settings to your users for devices running Windows 10 or later.

For more information, see the following articles:

• Use the settings catalog to configure settings on Windows and macOS devices – preview
• Use Windows 10/11 templates to configure group policy settings in Microsoft Intune

Group Policy Management Console

If you have Windows Server and Active Directory Domain Services (AD DS) deployed in your organization, you can configure policies by using Group Policy. To use Group Policy, download the most current Administrative Template files (ADMX/ADML) for Office, which include the policy settings for Microsoft 365 Apps for enterprise. After you copy the Administrative Template files to AD DS, you can use the Group Policy Management Console to create Group Policy Objects (GPOs) that include policy settings for your users, and for domain joined devices.

• Macro malware
• Understanding malware & other threats
• How to protect against phishing attacks
• Manage active content in Office documents
• Add, remove, or change a trusted location
• Trusted document settings have changed

---

— Update: 28-03-2023 — us.suanoncolosence.com found an additional article Intel Insight: How to Disable Macros from the website www.cisecurity.org for the keyword block macro malware microsoft office.

Overview

The MS-ISAC observes specific malware variants consistently reaching The Top 10 Malware list. These specific malware variants have traits allowing them to be highly effective against State, Local, Tribal, and Territorial (SLTT) government networks, consistently infecting more systems than other types of malware. An examination of the characteristics of these malware variants revealed that they often abuse legitimate tools or parts of applications on a system or network. One such legitimate part of an application is macro instructions.

Understanding the Threat Surface

Macro instructions (macros) are a set of rules or instructions used to automate repetitive or complex tasks. These instructions are compressed into a smaller form, which when used, are decompressed into the original instruction details. Macros are often used by cyber threat actors (CTAs) to obfuscate the delivery of malicious payloads. CTAs utilize social engineering to trick end users into opening malicious Microsoft Word or Excel attachments included in Malspam emails. Once an end user opens the attachment, they are prompted to enable Macros. If the user follows the prompt and enables macros, the malicious payload will automatically run, infecting your system. CTAs utilize macros to bypass cybersecurity by obfuscating the instructions for their malicious tasks in the compressed macro file.

Recommendations

Configurations can help automatically block macros from running. After evaluating your environment and appropriate testing, use Group Policy to block or disable macros from running in Microsoft Word, Excel, and PowerPoint; including files downloaded from the Internet and those that are not digitally signed. This setting allows you to block macros from running even if “Enable all macros” is selected in the macros settings. Additionally, the digital signature acts as a way of validating who sent the document, preventing the accidental enabling of macros on a document containing a malicious payload. The MS-ISAC recommends organizations use the CIS Benchmarks and CIS Build Kits, which are a part of CIS SecureSuite.

Please see below for detailed steps on globally disabling macros.

For disabling Microsoft Office macros via Active Directory / Domain Controller

This feature was highlighted in Microsoft Office 2016.

• Install the Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool on the Active Directory Domain Controller
• Upon completing the installation:
  • Click Start Menu > Control Panel > System and Security > Administrative Tools.
  • Open the Group Policy Management Console.
  • Right-click the Group Policy Object you want to configure and click Edit.
  • In the Group Policy Management Editor, go to User Configuration.
  • Click Administrative templates > Microsoft Word 2016 > Word options > Security Trust Center.
  • Open the Block macros from running in Office files from the Internet setting to configure and enable it.
  • Or if Macros are needed in your environment, open the Disable all macros except digitally signed macros.

For disabling Microsoft Office macros via the End-User

The below instructions are for Office 365 Subscriptions, Office Online, Office 2019, Office 2016, Office 2013, and Office 2010.

Macro settings are located in the Microsoft Office Trust Center, which can be accessed using any of the Microsoft Office programs. Note: Your organization may have changed the default settings via the Active Directory / Domain Controller to prevent anyone from changing these settings.

• Click the File
• Click
• Click Trust Center, and then click Trust Center Settings.
• In the Trust Center, click Macro Settings.
• Make the selections that you want.
• Select the macro setting that is appropriate for your organization (The MS-ISAC recommends one of the three settings below):
  • Disable all macros without notification
  • Disable all macros with notification
  • Disable all macros except digitally signed macros
• Click OK.
• Macros or all non-digitally signed macros are now disabled for the current End-User Profile.

For more information please visit Microsoft’s webpage on Blocking Macros and Enabling or Disabling Macros.

The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24×7 cybersecurity assistance is available at 866-787-4722, [email protected]. The MS-ISAC is interested in your comments – an anonymous feedback survey is available.

Source: https://www.bleepingcomputer.com/news/microsoft/how-to-auto-block-macros-in-microsoft-office-docs-from-the-internet/

Article post on: us.suanoncolosence.com