Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Macros from the internet will be blocked by default in Office
In this articleVBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet. With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, the following message will be displayed: The Learn More button goes to an article for end users and information workers that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros (if absolutely needed). In some cases, users will also see the message if the file is from a location within your intranet that’s not identified as being trusted. For example, if users are accessing files on a network share by using the share's IP address. For more information, see Files centrally located on a network share or trusted website. Prepare for this changeTo prepare for this change, we recommend that you work with the business units in your organization that use macros in Office files that are opened from locations such as intranet network shares or intranet websites. You'll want to identify those macros and determine what steps to take to keep using those macros. You'll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher. Also, review the following information:
Steps to take to allow VBA macros to run in files that you trustHow you allow VBA macros to run in files that you trust depends on where those files are located or the type of file. The following table list different common scenarios and possible approaches to take to unblock VBA macros and allow them to run. You don't have to do all possible approaches for a given scenario. In the cases where we have listed multiple approaches, pick the one that best suits your organization.
Versions of Office affected by this changeThis change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word. The following table shows the forecasted schedule of when this change will be available in each update channel. Information in italics is subject to change.
The change doesn’t affect Office on a Mac, Office on Android or iOS devices, or Office on the web. How Office determines whether to run macros in files from the internetThe following flowchart graphic shows how Office determines whether to run macros in a file from the internet. The following steps explain the information in the flowchart graphic, except for Excel Add-in files. For more information about those files, see Macro-enabled add-in files for PowerPoint and Excel. Also, if a file is located on a network share that isn’t in the Local intranet zone or isn’t a trusted site, macros will be blocked in that file.
Note
Note
Note Previously, before this change in default behavior, the app would check to see if the VBA Macro Notification Settings policy was enabled and how it was configured. If the policy was set to Disabled or Not Configured, then the app would check the settings under File > Options > Trust Center > Trust Center Settings... > Macro Settings. The default is set to "Disable all macros with notification," which allows users to enable content in the Trust Bar. Guidance on allowing VBA macros to run in files you trustRemove Mark of the Web from a fileFor an individual file, such as a file downloaded from an internet location or an email attachment the user has saved to their local device, the simplest way to unblock macros is to remove Mark of the Web. To remove, right-click on the file, choose Properties, and then select the Unblock checkbox on the General tab. Note
You can also use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file. For more information about the ZoneId value, see Mark of the Web and zones. If you have your users access files from a trusted website or an internal file server, you can do either of the following steps so that macros from those locations won't be blocked.
Note
For example, if users are accessing a network share by using its IP address, macros in those files will be blocked unless the file share is in the Trusted sites or the Local intranet zone. Tip
For example, you could add a file server or network share as a trusted site, by adding its FQDN or IP address to the list of trusted sites. If you want to add URLs that begin with http:// or network shares, clear the Require server verification (https:) for all sites in this zone checkbox. Important Because macros aren’t blocked in files from these locations, you should manage these locations carefully. Be sure you control who is allowed to save files to these locations. You can use Group Policy and the "Site to Zone Assignment List" policy to add locations as trusted sites or to the Local intranet zone for Windows devices in your organization. This policy is found under Windows Components\Internet Explorer\Internet Control Panel\Security Page in the Group Policy Management Console. It’s available under both Computer Configuration\Policies\Administrative Templates and User Configuration\Policies\Administrative Templates. Files on OneDrive or SharePoint
Macro-enabled template files for Word, PowerPoint, and ExcelMacro-enabled template files for Word, PowerPoint, and Excel that are downloaded from the internet will have Mark of the Web. For example, template files with the following extensions:
When the user opens the macro-enabled template file, the user will be blocked from running the macros in the template file. If the user trusts the source of the template file, they can remove Mark of the Web from the template file, and then reopen the template file in the Office app. If you have a group of users that need to use macro-enabled templates without macros being blocked, you can take either of the following actions:
Macro-enabled add-in files for PowerPoint and ExcelMacro-enabled Add-in files for PowerPoint and Excel that are downloaded from the internet will have Mark of the Web. For example, Add-in files with the following extensions:
When the user tries to install the macro-enabled Add-in, by using File > Options > Add-ins or by using the Developer ribbon, the Add-in will be loaded in a disabled state and the user will be blocked from using the Add-in. If the user trusts the source of the Add-in file, they can remove Mark of the Web from the Add-in file, and then reopen PowerPoint or Excel to use the Add-in. If you have a group of users that need to use macro-enabled Add-in files without macros being blocked, you can take the following actions. For PowerPoint Add-in files:
For Excel Add-in files:
Note Using a digital signature and trusting the publisher doesn't work for Excel Add-in files that have Mark of the Web. This behavior isn't new for Excel Add-in files that have Mark of the Web. It's worked this way since 2016, as a result of a previous security hardening effort (related to Microsoft Security Bulletin MS16-088). Macros that are signed by a trusted publisherIf the macro is signed and you’ve validated the certificate and trust the source, you can make that source a trusted publisher. We recommend, if possible, that you manage trusted publishers for your users. For more information, see Trusted publishers for Office files. If you have just a few users, you can have them remove Mark of the Web from the file and then add the source of the macro as a trusted publisher on their devices. Warning
Trusted LocationsSaving files from the internet to a Trusted Location on a user's device ignores the check for Mark of the Web and opens with VBA macros enabled. For example, a line of business application could send reports with macros on a recurring basis. If files with macros are saved to a Trusted Location, users won't need to go to the Properties for the file, and select Unblock to allow the macros to run. Because macros aren’t blocked in files saved to a Trusted Location, you should manage Trusted Locations carefully and use them sparingly. Network locations can also be set as a Trusted Location, but it's not recommended. For more information, see Trusted Locations for Office files. Additional information about Mark of the WebMark of the Web and Trusted DocumentsWhen a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. Currently, when a user opens a file with Mark of the Web, a SECURITY WARNING banner appears, with an Enable content button. If the user selects Enable content, the file is considered a Trusted Document, and macros are allowed to run. The macros will continue to run even after the change of default behavior to block macros in files from the internet is implemented, because the file is still considered a Trusted Document. After the change of default behavior to block macros in files from the internet, users will see a different banner the first time they open a file with macros from the internet. This SECURITY RISK banner doesn't have the option to Enable content. But users will be able to go to the Properties dialog for the file, and select Unblock, which will remove Mark of the Web from the file and allow the macros to run, as long as no policy or Trust Center setting is blocking. Mark of the Web and zonesBy default, Mark of the Web is added to files only from the Internet or Restricted sites zones. Tip To see these zones on a Windows device, go to Control Panel > Internet Options > Change security settings. You can view the ZoneId value for a file by running the following command at a command prompt, and replacing {name of file} with your file name.
When you run this command, Notepad will open and display the ZoneId under the [ZoneTransfer] section. Here's a list of ZoneId values and what zone they map to.
For example, if the ZoneId is 2, VBA macros in that file won't be blocked by default. But if the ZoneId is 3, macros in that file will be blocked by default. You can use the Unblock-File cmdlet in PowerShell to remove the ZoneId value from the file. Removing the ZoneId value will allow VBA macros to run by default. Using the cmdlet does the same thing as selecting the Unblock checkbox on the General tab of the Properties dialog for the file. To identify files that have VBA macros that might be blocked from running, you can use the Readiness Toolkit for Office add-ins and VBA, which is a free download from Microsoft. The Readiness Toolkit includes a standalone executable that can be run from a command line or from within a script. You can run the Readiness Toolkit on a user's device to look at files on the user's device. Or you can run it from your device to look at files on a network share. When you run the standalone executable version of the Readiness Toolkit, a JSON file is created with the information collected. You'll want to save the JSON files in a central location, such as a network share. Then you'll run the Readiness Report Creator, which is a UI wizard version of the Readiness Toolkit. This wizard will consolidate the information in the separate JSON files into a single report in the form of an Excel file. To identify files that might be impacted by using the Readiness Toolkit, follow these basic steps:
For more detailed information about using the Readiness Toolkit, see Use the Readiness Toolkit to assess application compatibility for Microsoft 365 Apps. Use policies to manage how Office handles macrosYou can use policies to manage how Office handles macros. We recommend that you use the Block macros from running in Office files from the Internet policy. But if that policy isn't appropriate for your organization, the other option is the VBA Macro Notification Settings policy. For more information on how to deploy these policies, see Tools available to manage policies. Important You can only use policies if you're using Microsoft 365 Apps for enterprise. Policies aren't available for Microsoft 365 Apps for business. Block macros from running in Office files from the InternetThis policy prevents users from inadvertently opening files containing macros from the internet. When a file is downloaded to a device running Windows, or opened from a network share location, Mark of the Web is added to the file identifying it was sourced from the internet. We recommend enabling this policy as part of the security baseline for Microsoft 365 Apps for enterprise. You should enable this policy for most users and only make exceptions for certain users as needed. There's a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User Configuration\Policies\Administrative Templates:
Which state you choose for the policy determines the level of protection you're providing. The following table shows the current level of protection you get with each state, before the change in default behavior is implemented.
Note
After we implement the change to the default behavior, the level of protection changes when the policy is set to Not Configured.
VBA Macro Notification SettingsIf you don't use the "Block macros from running in Office files from the Internet" policy, you can use the "VBA Macro Notification Settings" policy to manage how macros are handled by Office. This policy prevents users from being lured into enabling malicious macros. By default, Office is configured to block files that contain VBA macros and display a Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but can’t use any disabled functionality until they select Enable Content on the Trust Bar. If the user selects Enable Content, then the file is added as a Trusted Document and macros are allowed to run. There's a separate policy for each of the five applications. The following table shows where each policy can be found in the Group Policy Management Console under User Configuration\Policies\Administrative Templates:
Note
Which state you choose for the policy determines the level of protection you're providing. The following table shows the level of protection you get with each state.
Important Securing macros is important. For users that don't need macros, turn off all macros by choosing "Disable all without notification." Our security baseline recommendation is that you should do the following:
If you don't configure the policy, users can configure macro protection settings under File > Options > Trust Center > Trust Center Settings... > Macro Settings. The following table shows the choices users can make under Macro Settings and the level of protection each setting provides.
Note In the policy setting values and the product UI for Excel, the word "all" is replaced by "VBA." For example, "Disable VBA macros without notification." There are several tools available to you to configure and deploy policy settings to users in your organization.
Cloud PolicyYou can use Cloud Policy to configure and deploy policy settings to devices in your organization, even if the device isn't domain joined. Cloud Policy is a web-based tool and is found in the Microsoft 365 Apps admin center. In Cloud Policy, you create a policy configuration, assign it to a group, and then select policies to be included in the policy configuration. To select a policy to include, you can search by the name of the policy. Cloud Policy also shows which policies are part of the Microsoft recommended security baseline. The policies available in Cloud Policy are the same User Configuration policies that are available in the Group Policy Management Console. For more information, see Overview of Cloud Policy service for Microsoft 365. Microsoft Endpoint Manager admin centerIn the Microsoft Endpoint Manager admin center, you can use either the Settings catalog (preview) or Administrative Templates to configure and deploy policy settings to your users for devices running Windows 10 or later. To get started, go to Devices > Configuration profiles > Create profile. For Platform, choose Windows 10 and later and then choose the profile type. For more information, see the following articles:
Group Policy Management ConsoleIf you have Windows Server and Active Directory Domain Services (AD DS) deployed in your organization, you can configure policies by using Group Policy. To use Group Policy, download the most current Administrative Template files (ADMX/ADML) for Office, which include the policy settings for Microsoft 365 Apps for enterprise. After you copy the Administrative Template files to AD DS, you can use the Group Policy Management Console to create Group Policy Objects (GPOs) that include policy settings for your users, and for domain joined devices. Related articles
FeedbackSubmit and view feedback for Additional resourcesAdditional resourcesIn this articleHow can I fix Microsoft has blocked macros from running because the source of this File is untrusted error?How do you fix Microsoft has blocked macros from running because the source is untrusted?. Close the workbook.. Right-click on the workbook.. Select Properties.. Under the General tab, make sure to check the Unblock box in Security.. Hit the Apply button.. Now open the workbook.. Why is Microsoft blocking macros?During 2022, Microsoft introduced new security into the Windows version of Microsoft Excel to protect users against malicious Excel macros. Due to a significant increase in attempts by hackers to use macros, Microsoft had to take steps to protect users.
Why can't I open a macro enabled Excel File?Solution. Click on File -> Options - > Trust Center -> Trust Center Settings… -> Macro Settings -> Enable all macros.
|