Plan security settings for VBA macros in Office 2016
Applies to: Office 2016
Topic Last Modified: 2015-09-21
Summary: Explains how Visual Basic for Applications (VBA) and VBA macro settings control the way VBA and VBA macros behave in Office 2016.
Audience: IT Professionals
If you want to control the way Visual Basic for Applications (VBA) and VBA macros behave, you can change Office 2016 VBA and VBA macros settings for the following applications: Access 2016, Excel 2016, PowerPoint 2016, Publisher 2013, Visio 2016, and Word 2016.
|Are you looking for security information about individual Office 2016 applications? You can find this information by searching for "2016 security" on Office Support.|
In this article:
Office 2016 provides several settings that enable you to control the behavior of VBA and VBA macros. By configuring these settings, you can do the following:
Change the security warning settings for VBA macros. This includes disabling VBA macros, enabling all VBA macros, and changing the way that users are notified about VBA macros.
Block VBA macros from running in Word, Excel, and PowerPoint files from the Internet.
Change how VBA macros behave in applications that are started programmatically through Automation.
Change how antivirus software scans encrypted VBA macros.
By default, VBA is enabled and trusted VBA macros are allowed to run. This includes VBA macros in documents that are saved in a trusted location, VBA macros in trusted documents, and VBA macros that meet the following criteria:
The macro is signed by the developer who uses a digital signature.
The digital signature is valid.
This digital signature is current (not expired).
The certificate associated with the digital signature was issued by a reputable certification authority (CA).
The developer who signed the macro is a trusted publisher.
|The default security setting for macros is different in Outlook 2016. For more information, see the Outlook 2016 security documentation.|
VBA macros that aren’t trusted aren’t allowed to run until a user clicks the Message Bar and selects to enable the VBA macro.
You can easily get some visibility into VBA macro usage in your organization by reviewing data in Office 2016 Telemetry Dashboard. There is a built-in report named “Inventory” that collects and displays unique instance data about each Office solution that is monitored. This includes whether an Office document uses VBA macros.
To use the following procedure you must have already deployed and configured Office Telemetry Dashboard. For information about Office Telemetry Dashboard in general, see Overview of Office telemetry. For details about how to deploy Office Telemetry, see Deploy Telemetry Dashboard.To view VBA macro usage in an Office 2016 Telemetry Dashboard report
Open Telemetry Dashboard and connect to your telemetry database.
In the navigation pane of Telemetry Dashboard, choose Custom report.
When the Custom report page opens, choose Create custom report.
In the PivotTable Fields list, Inventory section, find and select Has VBA. Review the report for any VBA related warnings. If you need to investigate more, select additional fields in the Inventory table.
Save the data if you’d like, then close the Telemetry Dashboard.
Office 2016 provides a setting that enables you to change the security warning settings and the behavior of VBA macros. Use the following guidelines to determine how to configure this setting if you want to change how users are notified about untrusted VBA macros or change the default behavior of VBA macros.
Group Policy setting name: VBA Macro Notification Settings
Office provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet. By default, macros in Word, Excel and PowerPoint files are enabled according to the macro warning setting. Files are identified as coming from the Internet based on the zone information added to the file by the Attachment Execution Service (AES). AES adds zone information to files that are downloaded by Outlook, Internet Explorer, and some other applications. Use the following guidelines to determine how to configure this setting if you want to block macros on Word, Excel and PowerPoint files from the Internet.
You configure this setting using Group Policy. There isn’t a Trust Center equivalent.
Group Policy setting name: Block macros from running in Office files from the Internet
Description: This setting blocks VBA macros from running in Excel 2016, PowerPoint 2016, and Word 2016 on files from the Internet. You can configure this setting on a per-application basis.
Impact: If you enable this policy setting, macros are blocked from running on files from the internet, even if Enable all macros is selected in the Macro Settings section of the Trust Center. Also, instead of having the choice to “Enable Content,” users will receive a notification that macros are blocked from running. If the Office file is saved to a trusted location or was previously trusted by the user, macros will be allowed to run.
Guidelines: Organizations that have highly restrictive security environments but need to use documents with VBA macros typically enable this setting. If your organization has business-critical requirements for using documents that are considered to originate from the Internet and that have VBA code, don’t enable this setting.
Office 2016 provides a Group Policy setting that enables you to disable VBA. By default, VBA is enabled. Use the following guidelines to determine how to configure this setting if you want to disable VBA.
|You can only disable VBA by using Group Policy. There isn’t a Trust Center equivalent.|
Group Policy setting name: Disable VBA for Office applications
Office 2016 provides a setting that enables you to change the way VBA macros behave in applications that are started programmatically through Automation. By default, when a separate program is used to programmatically start Excel 2016, PowerPoint 2016, or Word 2016, any macros can run in the application that was programmatically started. Use these guidelines to determine how to configure this setting if you want to do the following:
Prevent macros from running in applications that are programmatically started through Automation.
Allow VBA macros to run according to the VBA macro security settings that are configured for the applications that are programmatically started through Automation.
Group Policy setting name: Automation Security
Office 2016 provides a setting that enables you to change the way encrypted VBA macros are scanned by antivirus software in Excel 2016, PowerPoint 2016, and Word 2016. By default, if a document, presentation, or workbook is encrypted and contains VBA macros, the VBA macros are disabled unless antivirus software is installed on the client computer. In addition, encrypted VBA macros are scanned by the client computer’s antivirus software when a user opens a document that contains encrypted macros. Use these guidelines to determine how to configure this setting if you want to do the following:
Allow all encrypted VBA macros to run without being scanned by antivirus software.
Scan encrypted VBA macros if antivirus software is installed, but enable encrypted VBA macros if no antivirus software is installed.
Group Policy setting names: Scan encrypted macros in Excel Open XML documents, Scan encrypted macros in PowerPoint Open XML documents, Scan encrypted macros in Word Open XML documents
Two other settings affect how VBA macros behave in Office 2016 applications. If you are changing VBA macro settings because you have a special security environment, you might want to evaluate the following settings:
Group Policy setting name: Trust access to Visual Basic project
Description: This setting determines whether automation clients can access the VBA project. This setting is a per application setting and can be set individually for Excel 2016, PowerPoint 2016, and Word 2016.
Group Policy setting name: Disable all Trust Bar notifications for security issues
Description: This setting prevents users from seeing Message Bar warnings, such as warnings about unsafe VBA macros. This is a global setting that applies to Excel 2016, PowerPoint 2016, and Word 2016. You can’t configure this setting on a per-application basis.