![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
E8 Guide | Restrict Microsoft Office Macros
This article explains how Devicie supports the Microsoft Office macro restriction controls recommended by the ACSC Essential Eight.
Macros are a common method for delivering malicious code through phishing emails and infected documents. Restricting or blocking macros reduces the risk of these attacks. The ACSC recommends disabling macros from untrusted sources, locking macro security settings, and scanning macros with antivirus software. Devicie supports this strategy by enforcing macro-related settings through Intune configuration profiles, aligned with Microsoft’s security baselines.
What's Covered
Devicie supports the following controls related to Microsoft Office macros:
-
Disabling macros for users who do not require them.
-
Blocking macros in files originating from the internet.
-
Enforcing macro security settings so they cannot be changed by users.
-
Enabling antivirus scanning for macros across supported Office applications.
-
Applying configuration policies to Microsoft Office applications via Intune.
What’s Not Covered
The following areas are outside Devicie’s scope and remain the responsibility of the customer:
-
Creating and managing exceptions for departments or users that legitimately require macros.
-
Enforcing macro restrictions for Office applications outside the supported Windows environment (e.g. Office for Mac, Office Online).
-
Detecting or analysing malicious macros in existing files outside Defender’s native scanning.
-
Monitoring macro execution events — Devicie does not provide centralised macro activity reporting or SIEM integration.
Potential Impact and Callouts
When implementing this Essential Eight mitigation strategy, it's important to understand the impacts on your environment and end users so that you can better plan your change processes.
-
Users relying on legitimate macros will require exemptions and appropriate policy adjustments.
-
Blocking macros from internet-sourced documents may affect workflows involving shared templates or vendor-supplied documents.
-
Macro restrictions are enforced at the application level and can cause disruption if not tested before deployment.
Devicie Delivered Controls
| ML1 | ML2 | ML3 |
| Microsoft Office macro antivirus scanning is enabled. | Microsoft Office macros are blocked from making Win32 API calls. | Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View. |
| Microsoft Office macro security settings cannot be changed by users. | Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View. | |
| Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. | Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute. | |
| Microsoft Office macros in files originating from the internet are blocked. | Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations. |
Customer Responsibility
| ML1 | ML2 | ML3 |
| All ML1 controls are inside of Devicie controls. | All ML2 controls are inside of Devicie controls. | Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations. |
| Microsoft Office's list of trusted publishers is validated on an annual or more frequent basis. | ||
💡 Tip: Use the Devicie Essential Eight report to view all controls broken down by strategy, maturity level and responsibility.