Macros Settings
Baudilio Eliason
Disable all macros without notification Macros and security alerts about macros are disabled.
In Excel this option is Disable VBA macros without notification and it only applies to VBA macros.
Disable all macros except digitally signed macros Macros are disabled, and security alerts appear if there are unsigned macros present. However, if the macro is digitally signed by a trusted publisher, the macro just runs. If the macro is signed by a publisher you haven't trusted yet, you are given the opportunity to enable the signed macro and trust the publisher.
In Excel this option is Disable VBA macros except digitally signed macros and it only applies to VBA macros.
Enable all macros (not recommended, potentially dangerous code can run) All macros run without confirmation. This setting makes your computer vulnerable to malicious code.
In Excel this option is Enable VBA macros (not recommended, potentially dangerous code can run) and it only applies to VBA macros.
Excel also has a checkbox for Enable Excel 4.0 macros when VBA macros are enabled. If you select this checkbox all of the above settings for VBA macros will also apply to Excel 4.0 (XLM) macros. If this checkbox is not selected XLM macros are disabled without notification.
Trust access to the VBA project object model Block or allow programmatic access to the Visual Basic for Applications (VBA) object model from an automation client. This security option is for code written to automate a Microsoft 365 program and manipulate the VBA environment and object model. It is a per-user and per-application setting, and denies access by default, hindering unauthorized programs from building harmful self-replicating code. For automation clients to access the VBA object model, the user running the code must grant access. To turn on access, select the check box.
The following list summarizes the various macro security settings. Under all settings, if antivirus software that works with Microsoft 365 is installed and the workbook contains macros, the workbook is scanned for known viruses before it is opened.
Disable all macros without notification Click this option if you don't trust macros. All macros in documents and security alerts about macros are disabled. If there are documents that contain unsigned macros that you do trust, you can put those documents into a trusted location. Documents in trusted locations are allowed to run without being checked by the Trust Center security system.
Disable all macros with notification This is the default setting. Click this option if you want macros to be disabled, but you want to get security alerts if there are macros present. This way, you can choose when to enable those macros on a case by case basis.
Disable all macros except digitally signed macros This setting is the same as the Disable all macros with notification option, except that if the macro is digitally signed by a trusted publisher, the macro can run if you have already trusted the publisher. If you have not trusted the publisher, you are notified. That way, you can choose to enable those signed macros or trust the publisher. All unsigned macros are disabled without notification.
Enable all macros (not recommended, potentially dangerous code can run) Click this option to allow all macros to run. Using this setting makes your computer vulnerable to potentially malicious code and is not recommended.
Trust access to the VBA project object model This setting is for developers and is used to deliberately lock out or allow programmatic access to the VBA object model from any Automation client. In other words, it provides a security option for code that is written to automate an Office program and programmatically manipulate the Microsoft Visual Basic for Applications (VBA) environment and object model. This is a per user and per application setting, and denies access by default. This security option makes it more difficult for unauthorized programs to build "self-replicating" code that can harm end-user systems. For any Automation client to be able to access the VBA object model programmatically, the user running the code must explicitly grant access. To turn on access, select the check box.
Office uses Microsoft Authenticode technology to enable macro creators to digitally sign a file or a macro project. The certificate that is used to create this signature confirms that the macro or document originated from the signer, and the signature confirms that the macro or document has not been altered.
The Learn More button goes to an article for end users and information workers that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros (if needed).
In some cases, users also see the message if the file is from a location within your intranet and isn't identified as being trusted. For example, if users are accessing files on a network share by using the share's IP address. For more information, see Files centrally located on a network share or trusted website.
Prepare for this change by working with the business units in your organization that utilize macros in Office files. These files are often opened from locations like intranet network shares or intranet websites. You want to identify those macros and determine what steps to take to keep using those macros. Work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher.
The following table list different common scenarios and possible approaches to take to unblock VBA macros and allow them to run. You don't have to do all possible approaches for a given scenario. In the cases where we list multiple approaches, pick the one that best suits your organization.
If the user previously opened the file, before this change in default behavior, and selected Enable content from the Trust Bar, then the macros are enabled because the file is considered trusted.
To unblock macros in a file, like one from the internet or an email attachment, remove the Mark of the Web on your local device. To remove, right-click on the file, choose Properties, and then select the Unblock checkbox on the General tab.
You can also use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value allows VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file. For more information about the ZoneId value, see Mark of the Web and zones.
For example, if users are accessing a network share by using its IP address, macros in those files are blocked unless the file share is in the Trusted sites or the Local intranet zone.
If a user downloads a file on OneDrive or SharePoint by using a web browser, the configuration of the Windows internet security zone (Control Panel > Internet Options > Security) determines whether the browser sets Mark of the Web. For example, Microsoft Edge sets Mark of the Web on a file if it's from the Internet zone.
If a user selects Open in Desktop App in a file opened from the OneDrive website or from a SharePoint site (including a site used by a Teams channel), then the file won't have Mark of the Web.
Set the Windows internet security zone assignment for OneDrive or SharePoint domains to Trusted Sites. Admins can use the "Site to Zone Assignment List" policy and configure the policy to place your-domain-name.sharepoint.com (for SharePoint) or your-domain-name-my.sharepoint.com (for OneDrive) into the Trusted Sites zone.
SharePoint permissions and OneDrive sharing aren't changed by adding these locations to Trusted Sites. Maintaining access control is important. Anyone with permissions to add files to SharePoint could add files with active content, such as macros. Users who download files from domains in the Trusted Sites zone bypasses the default to block macros.
When the user opens the macro-enabled template file, the user is blocked from running the macros in the template file. If the user trusts the source of the template file, they can remove Mark of the Web from the template file, and then reopen the template file in the Office app.
When the user tries to install the macro-enabled Add-in, by using File > Options > Add-ins or by using the Developer ribbon, the Add-in is loaded in a disabled state and the user is blocked from using the Add-in. If the user trusts the source of the Add-in file, they can remove Mark of the Web from the Add-in file, and then reopen PowerPoint or Excel to use the Add-in.
Using a digital signature and trusting the publisher doesn't work for Excel Add-in files that have Mark of the Web. This behavior isn't new for Excel Add-in files that have Mark of the Web. It's worked this way since 2016, as a result of a previous security hardening effort (related to Microsoft Security Bulletin MS16-088).
If the macro is signed and you validated the certificate and trust the source, you can make that source a trusted publisher. We recommend, if possible, that you manage trusted publishers for your users. For more information, see Trusted publishers for Office files.
Saving files from the internet to a Trusted Location on a user's device ignores the check for Mark of the Web and opens with VBA macros enabled. For example, a line of business application could send reports with macros on a recurring basis. If files with macros are saved to a Trusted Location, users don't have to go to the Properties for the file, and select Unblock to allow the macros to run.
c80f0f1006