Disable Macros in Office

email me

What is a macro and what is the security risk?

Macros automate frequently-used tasks; many are created with VBA and are written by software developers. However, some macros pose a potential security risk. A person with malicious intent can introduce a destructive macro, in a document or file, which can spread a virus on your computer.

Use these registry keys to disable macros—one machine at a time.

 

Word

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security]
“VBAWarnings”=dword:00000004

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock\OoxmlConverters]
“{A5C79653-FC73-46ee-AD3E-B64C01268DAA}”=dword:00000000

 

Excel

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security]
“VBAWarnings”=dword:00000004

 

PowerPoint

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security]
“VBAWarnings”=dword:00000004

 

What this setting looks like under File, Options, Trust Center, Trust Center Settings, Macros in the respective app.

 

Notes

You may of course need to do this for a fleet of computers. The best way to handle that is through Group Policy. SeeĀ https://www.microsoft.com/en-us/download/details.aspx?id=35554

User Configuration/Administrative Templates/Microsoft Office VERSION 20VERSION/Application Settings/Security/Trust Center/Trusted Locations

 

As a secondary enterprise solution, you could also deploy a script to disable the macros—cycling through each user reg hive and applying the appropriate reg keys. Note, this will not prevent someone from re-enabling them, but will at least turn them off.

The script I created is below. The magic happens when each user SID is loaded and the reg keys are applied.

on error resume next 

Set objShell = CreateObject("Wscript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")

strComputer = "."

strCurrentDirectory = objShell.CurrentDirectory

Const HKEY_LOCAL_MACHINE = &H80000002
Const OverwriteExisting = TRUE
Const POPUP_TITLE = "User To SID Conversion"

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objRegistry=GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList"
objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys
For Each objSubkey In arrSubkeys
 'on error resume next
 strValueName = "ProfileImagePath"
 strSubPath = strKeyPath & "\" & objSubkey
 objRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE,strSubPath,strValueName,strValue
 
 Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 
 Set objAccount = objWMIService.Get("Win32_SID.SID='" & objSubkey & "'")
 strUser = objAccount.AccountName
 'strDomain = objAccount.ReferencedDomainName'returns referenced domain

'DISPLAY PROFILE NAME & SID
 objSubkey = trim(objSubkey)'trims whitespace
 strUser = trim(strUser)'trims whitespace
 'msgbox "objSubkey: " & objSubkey'returns SID
 'msgbox strUser'returns username

'LOGIC TO DETERMINE IF REGISTRY ACCOUNT IS TO BE LOADED
if strUser = "SYSTEM" then strUser=""
if strUser = "LOCAL SERVICE" then strUser=""
if strUser = "NETWORK SERVICE" then strUser=""
'if strUser = "ADMINISTRATOR" then strUser=""

if strUser <> "" then
	on error resume next
	'msgbox objSubkey
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\16.0\Word\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\16.0\Word\Security\FileBlock\OoxmlConverters"" /v {A5C79653-FC73-46ee-AD3E-B64C01268DAA} /d 00000000 /t REG_DWORD /f /reg:64",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\16.0\Excel\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\16.0\PowerPoint\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true
	
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\15.0\Word\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\15.0\Word\Security\FileBlock"" /v {A5C79653-FC73-46ee-AD3E-B64C01268DAA} /d 00000000 /t REG_DWORD /f /reg:64",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\15.0\Excel\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\15.0\PowerPoint\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true
	
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\14.0\Word\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\14.0\Word\Security\FileBlock"" /v {A5C79653-FC73-46ee-AD3E-B64C01268DAA} /d 00000000 /t REG_DWORD /f",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\14.0\Excel\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f",0,true
	objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\14.0\PowerPoint\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f",0,true
end if

Next

 

Reference

https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12?ui=en-US&rs=en-US&ad=US&fromAR=1

https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6