What is a macro and what is the security risk?
Macros automate frequently-used tasks; many are created with VBA and are written by software developers. However, some macros pose a potential security risk. A person with malicious intent can introduce a destructive macro, in a document or file, which can spread a virus on your computer.
Use these registry keys to disable macros—one machine at a time.
Word
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security]
“VBAWarnings”=dword:00000004
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock\OoxmlConverters]
“{A5C79653-FC73-46ee-AD3E-B64C01268DAA}”=dword:00000000
Excel
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security]
“VBAWarnings”=dword:00000004
PowerPoint
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security]
“VBAWarnings”=dword:00000004
What this setting looks like under File, Options, Trust Center, Trust Center Settings, Macros in the respective app.
Notes
You may of course need to do this for a fleet of computers. The best way to handle that is through Group Policy. SeeĀ https://www.microsoft.com/en-us/download/details.aspx?id=35554
User Configuration/Administrative Templates/Microsoft Office VERSION 20VERSION/Application Settings/Security/Trust Center/Trusted Locations
As a secondary enterprise solution, you could also deploy a script to disable the macros—cycling through each user reg hive and applying the appropriate reg keys. Note, this will not prevent someone from re-enabling them, but will at least turn them off.
The script I created is below. The magic happens when each user SID is loaded and the reg keys are applied.
on error resume next Set objShell = CreateObject("Wscript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") strComputer = "." strCurrentDirectory = objShell.CurrentDirectory Const HKEY_LOCAL_MACHINE = &H80000002 Const OverwriteExisting = TRUE Const POPUP_TITLE = "User To SID Conversion" Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objRegistry=GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv") strKeyPath = "SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList" objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys For Each objSubkey In arrSubkeys 'on error resume next strValueName = "ProfileImagePath" strSubPath = strKeyPath & "\" & objSubkey objRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE,strSubPath,strValueName,strValue Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objAccount = objWMIService.Get("Win32_SID.SID='" & objSubkey & "'") strUser = objAccount.AccountName 'strDomain = objAccount.ReferencedDomainName'returns referenced domain 'DISPLAY PROFILE NAME & SID objSubkey = trim(objSubkey)'trims whitespace strUser = trim(strUser)'trims whitespace 'msgbox "objSubkey: " & objSubkey'returns SID 'msgbox strUser'returns username 'LOGIC TO DETERMINE IF REGISTRY ACCOUNT IS TO BE LOADED if strUser = "SYSTEM" then strUser="" if strUser = "LOCAL SERVICE" then strUser="" if strUser = "NETWORK SERVICE" then strUser="" 'if strUser = "ADMINISTRATOR" then strUser="" if strUser <> "" then on error resume next 'msgbox objSubkey objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\16.0\Word\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\16.0\Word\Security\FileBlock\OoxmlConverters"" /v {A5C79653-FC73-46ee-AD3E-B64C01268DAA} /d 00000000 /t REG_DWORD /f /reg:64",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\16.0\Excel\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\16.0\PowerPoint\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\15.0\Word\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\15.0\Word\Security\FileBlock"" /v {A5C79653-FC73-46ee-AD3E-B64C01268DAA} /d 00000000 /t REG_DWORD /f /reg:64",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\15.0\Excel\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\15.0\PowerPoint\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f /reg:64",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\14.0\Word\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\14.0\Word\Security\FileBlock"" /v {A5C79653-FC73-46ee-AD3E-B64C01268DAA} /d 00000000 /t REG_DWORD /f",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\14.0\Excel\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f",0,true objShell.Run "cmd /c reg.exe add ""HKEY_USERS\" & objSubkey & "\Software\Microsoft\Office\14.0\PowerPoint\Security"" /v VBAWarnings /d 00000004 /t REG_DWORD /f",0,true end if Next
Reference