Overview
The Devicie Essential Eight Maturity Level 1 Restrict Office Macros (Allow with Prompt) (Nov 2023) configuration is to meet the Australian Cyber Security Centre’s guidance for this mitigation strategy.
Intune Description:
E8 ML1 Restrict Office Macros (Allow with Prompt) (Nov 2023)
Scope:
This baseline should be applied to Windows devices.
Policy Impact Areas:
When deployed, this policy will impact:
-
Enforcing a prompt when users attempt to use macros, within all Office 365 products
Deployment Notes
-
Pre-Deployment Considerations:
-
Consider users who may be impacted by this change (typically finance teams). Note that this is not a block policy, so effective communication with user feedback will assist in longer term deployments to higher levels of controls
-
-
Post-Deployment Validation:
-
Attempt to run a macro within Excel
-
Configuration Settings:
|
Name |
Value |
|
Administrative Templates |
|
|
Attachment Manager |
|
|
Hide mechanisms to remove zone information (User) |
Enabled |
|
Defender |
|
|
Attack Surface Reduction Rules |
|
|
Block Win32 API calls from Office macros |
Block |
|
Microsoft Access 2016 |
|
|
Trust Center |
|
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
VBA Macro Notification Settings (User) |
Enabled |
|
|
Disable all with notification |
|
Trusted Locations |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Disable all trusted locations (User) |
Enabled |
|
Microsoft Excel 2016 |
|
|
Security |
|
|
Scan encrypted macros in Excel Open XML workbooks (User) |
Enabled |
|
|
Scan encrypted macros (default) |
|
Trust Center |
|
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
Trust access to Visual Basic Project (User) |
Disabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
VBA Macro Notification Settings (User) |
Enabled |
|
|
Disable all with notification |
|
Trusted Locations |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Disable all trusted locations (User) |
Enabled |
|
Microsoft Office 2016 |
|
|
Security Settings |
|
|
Automation Security (User) |
Enabled |
|
Set the Automation Security level (User) |
Use application macro security level |
|
Disable all Trust Bar notifications for security issues (User) |
Disabled |
|
Disable VBA for Office applications (User) |
Disabled |
|
Macro Runtime Scan Scope (User) |
Enabled |
|
|
Enable for all documents |
|
Trust Center |
|
|
Allow mix of policy and user locations (User) |
Disabled |
|
Microsoft Outlook 2016 |
|
|
Security Form Settings |
|
|
Outlook Security Mode (User) |
Enabled |
|
Outlook Security Policy: (User) |
Use Outlook Security Group Policy |
|
Security setting for macros (User) |
Enabled |
|
Security Level (User) |
Always warn |
|
Trust Center |
|
|
Apply macro security settings to macros, add-ins and additional actions (User) |
Enabled |
|
Microsoft PowerPoint 2016 |
|
|
Security |
|
|
Scan encrypted macros in PowerPoint Open XML presentations (User) |
Enabled |
|
|
Scan encrypted macros (default) |
|
Trust Center |
|
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
Trust access to Visual Basic Project (User) |
Disabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
VBA Macro Notification Settings (User) |
Enabled |
|
|
Disable all with notification |
|
Trusted Locations |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Disable all trusted locations (User) |
Enabled |
|
Microsoft Project 2016 |
|
|
Trust Center |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Disable all trusted locations (User) |
Enabled |
|
VBA Macro Notification Settings (User) |
Enabled |
|
|
Disable all with notification |
|
Microsoft Publisher 2016 |
|
|
Security |
|
|
Publisher Automation Security Level (User) |
Enabled |
|
|
High (disabled) |
|
Trust Center |
|
|
Block macros from running in Office files from the internet (User) |
Enabled |
|
VBA Macro Notification Settings (User) |
Enabled |
|
|
Disable all with notification |
|
Microsoft Visio 2016 |
|
|
Macro Security |
|
|
Enable Microsoft Visual Basic for Applications project creation (User) |
Disabled |
|
Load Microsoft Visual Basic for Applications projects from text (User) |
Disabled |
|
Trust Center |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
Disable all trusted locations (User) |
Enabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
VBA Macro Notification Settings (User) |
Enabled |
|
|
Disable all with notification |
|
Microsoft Word 2016 |
|
|
Trust Center |
|
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
Scan encrypted macros in Word Open XML documents (User) |
Enabled |
|
|
Scan encrypted macros (default) |
|
Trust access to Visual Basic Project (User) |
Disabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
VBA Macro Notification Settings (User) |
Enabled |
|
|
Disable all with notification |
|
Trusted Locations |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Disable all trusted locations (User) |
Enabled |
|
Devicie Template Name |
ACSC E8 Nov 2023-ML1 Restrict Office macros-Allow with prompt |
|
Default Intune Deployed Name |
DEVICIE-PROD-ACSC E8 Nov 2023-ML1 Restrict Office macros-Allow with prompt |
|
Version |
1.0 |
|
Template Last Updated |
Nov 18, 2024 |
|
Document Last Updated: |
Jun 12, 2025 |