You can block Macros and consequently, Macro viruses or Macro targeted malware files, from the Internet, from opening & running automatically in your Microsoft Office programs like Word, Excel, or PowerPoint documents using Group Policy or Registry Editor in Windows 11/10.
Office Macros are basically small bits of code written in Visual Basic (VBA), that allow you to carry out select repetitive tasks. They are useful by themselves, but many times malware writers misuse this functionality to introduce malware into your computer system.
A Macro virus is a virus that takes advantage of Macros that run in Microsoft Office applications such as Microsoft Word, PowerPoint, or Excel. Cybercriminals send you a macro-infested payload or a file that will, later on, download a malicious script, via email and use a subject line that interests or provokes you into opening the document. When you open the document, a macro runs to execute whatever the task the criminal wants.
Microsoft has disabled the Macro functioning by default. It has now set the default settings in Office to Disable all macros with notification. That is, no macro would run in Microsoft Word until you allow it to run, since the files are now open in Protected View.
Macro-based malware has made a comeback and is again on the rise. Microsoft has therefore rolled out a new Group Policy update to all Office clients on the network that blocks Internet originating macros from loading, in high-risk scenarios, and thus helps enterprise administrators prevent the risk of macros.
Read: How to remove Macro virus.
Block Macros from running in Office files using Group Policy
Office provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet. By default, macros in Word, Excel and PowerPoint files are enabled according to the macro warning setting. Files are identified as coming from the Internet based on the zone information added to the file by the Attachment Execution Service (AES). AES adds zone information to files that are downloaded by Outlook, Internet Explorer, and some other applications. Use the following guidelines to determine how to configure this setting if you want to block macros on Word, Excel and PowerPoint files from the Internet.
To enable this policy setting, Run gpedit.msc and navigate to the following setting:
User configuration > Administrative templates > Microsoft Word > Word options > Security > Trust Center.
Double-click on Block macros from running in Office files from the Internet setting, Enable it.
This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the Trust Center. Also, instead of having the choice to “Enable Content,” users will receive a notification that macros are blocked from running. If the Office file is saved to a trusted location or was previously trusted by the user, macros will be allowed to run. If you disable or don’t configure this policy setting, the settings configured in the Macro Settings section of the Trust Center determine whether macros run in Office files that come from the Internet.
Prevent Macros from running in Microsoft Office using Registry
To prevent Macros from running in Microsoft Office using Registry, follow these steps:
- Press Win+R to open the Run prompt.
- Type regedit > press the Enter button > click the Yes button.
- Navigate to Microsoft\office\16.0 in HKCU.
- Right-click on 0 > New > Key and name it as word.
- Right-click on word > New > Key and set the name as security.
- Right-click on security > New > DWORD (32-bit) Value.
- Set the name as blockcontentexecutionfrominternet.
- Double-click on it to set the Value data as 1.
- Click the OK button and restart your computer.
To learn more about these steps, continue reading.
To get started, you need to open the Registry Editor first. For that, press Win+R > type regedit > hit the Enter button > click the Yes option on the UAC prompt.
Then, navigate to this path:
Right-click on 16.0 > New > Key and name it as word. Then, right-click on the word key, select New > Key, and name it as security.
Following that, you need to create a REG_DWORD value. For that, right-click on security > New > DWORD (32-bit) Value and set the name as blockcontentexecutionfrominternet.
Double-click on it to set the Value data as 1 and click the OK button.
Finally, restart your computer to apply the change. However, if you want to revert the change and apply the default setting, you need to delete the blockcontentexecutionfrominternet REG_DWORD value. To do that, right-click on it, select the Delete option, and click the Yes button.
There has been a jump in the incidence of Macro Virus, using email as well as social engineering, so you want to exercise caution and stay safe at all times!
How do I stop macros from running in Office files from the Internet?
There are two ways to stop macros from running in Office files from the internet – using the Local Group Policy Editor and the Registry Editor. Both methods are mentioned above, and you can follow either of them. However, you need to install the administrator templates for Office if you want to use the GPEDIT method.
How do I disable macros in Excel GPO?
To disable macros in Excel, you can use the Local Group Policy Editor. To do that, open the GPEDIT and navigate to User Configuration > Administrative Templates > Microsoft Excel 2016 > Excel Options > Security > Trust Center. Double-click on the Block macros from running in Office files from the Internet setting and choose the Enabled option. Then, click on the OK button to save the change. For your information, you can do the same in other apps and using Registry Editor as well.