Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.

Property	Value
ISM Control	ISM-1671
Revision	0
Updated	Sep-21
Guideline	Not provided
Section	User application hardening
Topic	Microsoft Office macros
Essential Eight	ML1, ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Microsoft Office macros are disabled by default to minimize macro-based attack risk; only users with a demonstrated business need should be granted macro access. If approved, create a dedicated exemption group (for example, “Allow macro execution - Trusted Publisher”) and deploy an Entra ID Access Package so that membership is periodically reviewed.¹

Justification

Macros in Microsoft Office are one of the primary initial-access vectors in malware campaigns. Disabling macros by default — and granting access only on demonstrated business need — reduces the exploitable attack surface while still accommodating legitimate business processes through a controlled approval lifecycle.

Two-tier macro policy approach:

Tier	Group	Macro policy (VBA Macro Notification Settings)	Notes
Default (all users)	Entire user population	`4 = Disable all macros without notification`	ACSC recommended baseline
Exemption (approved users)	Allow macro execution - Trusted Publisher	`3 = Disable all macros except digitally signed macros`	User must accept a prompt from a trusted publisher

By assigning two separate Intune configuration profiles with different VBA Macro Notification Settings registry values (HKCU\Software\Policies\Microsoft\Office\16.0\<App>\Security\VBAWarnings), the exemption group receives a less restrictive setting without changing the default posture for all other users.

Entra ID Access Package — why:

Access Packages enforce a formal request-and-approval workflow before granting group membership.
Periodic access reviews (quarterly or annually) automatically expire approvals unless explicitly renewed, satisfying the “demonstrated business requirement” condition.
The review cadence is auditable and meets PSPF and ACSC record-keeping expectations for privileged function access.

Design Decision

[!NOTE] The Allow macro execution - Trusted Publisher group will be exempt from the policy that disables macros. Membership will be managed via an Entra ID Access Package and will be periodically reviewed. Only users approved to run macros will be added to the group.

Prerequisites

Permissions/Roles
- Create and manage a dedicated group named Allow macro execution - Trusted Publisher that contains users approved to run Office macros when signed by a trusted publisher. This group must be exempt from the general policy that blocks macros by default. [^3]
Dependencies
- Devices must be Windows 10 or later and managed through a deployment platform that can deliver WDAC policies. [^2]
- WDAC policy artifacts and deployment
  - Generate WDAC policy artifacts using the Windows Defender App Control Wizard, producing a Policy XML and a CIP file. For Intune deployment, rename the CIP file to a BIN file and upload it under the policy profile. [^2]
- Intune-based policy deployment
  - Access and use the Intune admin center to create and deploy the WDAC audit policy as a Configuration Profile. [^2]
- Security baseline alignment for Office macros
  - Implement the security baseline for Microsoft 365 Apps in Intune, including enabling the VBA Macro Notification Settings policy and configuring macro protection as per the baseline. [^8]

Implementation Steps

Exclude group for trusted publisher macro execution - WDAC policy deployment

Create a group that contains users who are able to run Office macros if they’re signed by a Trusted Publisher. This group is referred to as Allow macro execution - Trusted Publisher.¹
Save the All Macros Disabled policy to your local device.¹
In the Intune admin center, navigate to Devices → Configuration Profiles.¹
Create a profile with Platform – Windows 10 or Later, Profile Type Templates and Custom.¹
Create a name for the policy (for example, ‘Application Control - Microsoft Allow – Audit’) and select Next.¹
Under OMA-URI Settings, select Add.¹
Note that the OMA-URI configuration depends on the policy ID generated by the Windows Defender App Control Wizard. Use the policy as generated by the wizard: Name = Microsoft Allow Audit, OMA-URL = ./Vendor/MSFT/ApplicationControl/Policies/{GUID}/Policy, Data Type = Base64 (File).¹
The Windows Defender App Control Wizard-generated policy XML also creates a CIP file. Copy the CIP file and rename the extension to .BIN (for example, {GUID}.bin).¹
Upload the BIN under Base64 (File).¹
Save the configuration profile.¹
Follow the prompts to create the Configuration Profile and then deploy the policy to the intended system. For example, deploy a profile named ‘Application Control - Microsoft Allow – Audit’ to the target devices.¹

ASD Blueprint for Microsoft Office hardening provides guidance for Windows endpoint Office macro hardening and related controls ASD Blueprint: Microsoft Office hardening[^6]
ASD Blueprint: Restrict Microsoft Office macros provides actionable steps to restrict macros and align with Essential Eight requirements ASD Blueprint: Restrict Microsoft Office macros[^5]
AppLocker overview outlines how AppLocker can enforce application control policies and security considerations AppLocker overview[^7]
Microsoft Intune security baseline for Microsoft 365 Apps provides default macro controls and VBA Macro Notification Settings guidance Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune[^8]
Attack Surface Reduction rules reference describes blocking Win32 API calls from Office macros as part of ASR hardening Attack Surface Reduction rules reference¹

Essential Eight configure Microsoft Office macro settings ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷ ↩⁸ ↩⁹ ↩¹⁰ ↩¹¹ ↩¹² ↩¹³

🛡️ Essential 8 Guide