Microsoft Office macro antivirus scanning is enabled.

Property	Value
ISM Control	ISM-1672
Revision	0
Updated	Sep-21
Guideline	Not provided
Section	User application hardening
Topic	Microsoft Office macros
Essential Eight	ML1, ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Microsoft Office macros pose a significant security risk, which this control mitigates by enabling antivirus scanning for Office macros and importing the ACSC Office Hardening policy via Intune to enforce macro protections. This reduces the macro-enabled attack surface in end-user environments and aligns with ACSC and Defender guidance.¹²

Justification

How macro antivirus scanning (AMSI) works:

Office VBA and XLM runtimes are instrumented with a circular buffer that records potentially dangerous API calls (e.g., CreateProcess, ShellExecute, URLDownloadToFile). When a trigger API is called, the runtime pauses the macro, packages the buffered log, and passes it to the Antimalware Scan Interface (AMSI) via AmsiScanBuffer. The registered AV provider returns a verdict — if malicious, Office aborts the macro session and the AV can quarantine the file.

Macro Runtime Scan Scope — setting details:

Value	Behaviour
`0`	Disabled — no runtime scanning of macros
`1`	Scan for low-trust documents (default when not configured) — excludes Trusted Locations, Trusted Documents, and macros signed by a Trusted Publisher
`2`	Scan all documents — no exclusions, maximum coverage

Registry path: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security, value name MacroRuntimeScanScope (DWORD). Group Policy writes to the same key.

Does this require Windows Defender? No — AMSI is a generic interface. Any AV registered under HKLM\SOFTWARE\Microsoft\AMSI\Providers (including Defender, CrowdStrike, Trend Micro) will receive the scan request. Windows Defender is the guaranteed default on all supported Windows devices, which is why ACSC guidance references it explicitly. Third-party AV vendors that implement the AMSI provider API will be invoked in the same way.

Supported Office versions: Office 2016, 2019, 2021, and Microsoft 365 Apps. Office 2010/2013 do not include the AMSI runtime integration.

Design Decision

[!NOTE] The ACSC Office Hardening policy will be imported into Intune configuration profiles and applied to All Office Users. It will enable the Macro Runtime Scan Scope: Enabled for all documents setting, corresponding to the Scan macros in Office files requirement.

Prerequisites

Licensing:
- Microsoft Intune Plan 1 (typically in Microsoft 365 E3+) is required if implementing via Intune¹
Permissions/Roles:
- Access to the Microsoft Intune admin console to create/import policies and assign them to user groups (for example, the All Office Users group)¹
- Access to Graph Explorer for authentication during policy creation steps¹
Dependencies:
- Devices must be enrolled in Microsoft Intune and joined to Entra ID (Azure AD) or hybrid Azure AD join¹
- Windows Defender Antivirus must be running on the device to support macro antivirus scanning enabled by the ACSC policy¹
- The locally available ACSC Office Hardening Guidelines policy JSON file for import into Intune¹
- The PowerShell script to prevent activation of OLE must be available for import into Intune¹
- The ASR policy JSON (Attack Surface Reduction) must be available to copy/paste into the Intune policy set request body¹

Implementation Steps

Enable Scan macros in Office files using Intune

Save the ACSC Office Hardening Guidelines policy to your local device.¹
In the Intune console, import a policy under Devices > Windows > Configuration profiles > Create > Import Policy. Name the policy, browse for the policy file saved in step 1, and click Save.¹
Create a policy set to apply the hardening policies. Navigate to Devices > Policy sets > Create. Under Application Management > Apps, select Microsoft 365 Apps (for Windows 10 and later). Under Device Management > Device Configuration Profiles, select ACSC Office Hardening. Under Assignments, select All Office Users.¹
Import the Attack Surface Reduction (ASR) policy as part of the policy set. Import the Endpoint Security ASR policy by navigating to Graph Explorer and authenticating. Copy the JSON from the ACSC Windows Hardening Guidelines-Attack Surface Reduction policy and paste it into the request body. (Optional) modify the name value if necessary, then assign the policy to All Office Users.¹
Confirm macro antivirus scanning is enabled as part of the ACSC Office Hardening configuration. The policy configures the Macro Runtime Scan Scope setting to scan macros in all Office documents.

ASD Blueprint: Restrict Microsoft Office macros provides implementation guidance for blocking macros in Office as part of Essential Eight ASD Blueprint: Restrict Microsoft Office macros [^4]
ASD Blueprint: Microsoft Office hardening outlines broad hardening guidance for Office apps, including macro controls and defensive settings ASD Blueprint: Microsoft Office hardening [^6]
ASD Blueprint: User application hardening explains technical controls for hardening user applications, including Microsoft Office macros ASD Blueprint: User application hardening [^3]
Macros from the internet are blocked by default in Office describes policy to block internet macros and related Defender guidance Macros from the internet are blocked by default in Office [^5]
Attack surface reduction rules reference explains ASR rules affecting Office macros and how to apply them with Defender attack-surface-reduction-rules-reference [^9]
Macro malware covers how macro malware is delivered and how Defender detects and mitigates it Macro malware ²
Essential Eight configure Microsoft Office macro settings guides configuring macro policies and ACSC guideline import via Intune Essential Eight configure Microsoft Office macro settings ¹

🛡️ Essential 8 Guide