Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.

Property	Value
ISM Control	ISM-1674
Revision	0
Updated	Sep-21
Guideline	Not provided
Section	User application hardening
Topic	Microsoft Office macros
Essential Eight	ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Only Microsoft Office macros running in a sandboxed environment, from a Trusted Location, or digitally signed by a trusted publisher are allowed to execute. This mitigates macro-based malware risk and requires a separate policy targeted to specific devices that allow only macros signed by Trusted Publishers via Intune policy, with members excluded from other macro-blocking policies to avoid conflicts.¹

Justification

Restricting macro execution to only digitally signed macros from trusted publishers provides a cryptographically verifiable chain of trust between a macro’s author and its execution on a device. This is the final control in a layered macro governance model:

Layer	ISM Control	What it does
Block all macros by default	ISM-1671	Reduces attack surface for the general user population
Scan enabled macros at runtime	ISM-1672	Catches malicious behaviour even in permitted macros
Block Win32 API calls from macros	ISM-1673	Blocks post-execution exploitation
Only allow signed macros for approved users	ISM-1674	Ensures any permitted macro has a verifiable author

Why V3 signatures are required:

CVE-2020-0760 demonstrated that V1/V2-signed macros could be altered after signing without invalidating the signature (weaker SHA-1-based hash, partial coverage of the VBA project).
V3 uses SHA-256 and covers the full VBA project (modules, references, metadata), so any post-signing change invalidates it.
V3 requires a certificate with the Code Signing EKU and follows the Authenticode trust model — the same kernel-mode validation used for drivers and executables.
The Group Policy “Only trust VBA macros that use V3 signatures” prevents Office from falling back to V1/V2 acceptance.

[!WARNING] V3 signatures require Microsoft 365 current channel or Office 2019/2021/LTSC 2024 (build ≥ 1808 with December 2020 security updates). Office 2016 pre-December 2020 does not support V3 and will reject V3-signed macros.

Risk of a compromised Trusted Publisher certificate:

A compromised code-signing certificate allows an attacker to sign malicious VBA code that any device with the publisher’s certificate in its Trusted Publishers store will automatically execute. Mitigate by storing the private key on a Hardware Security Module (HSM), enabling the Group Policy “Block certificates from trusted publishers that are installed in the current user store”, and monitoring certificate usage through audit logs. Revoke and rotate the certificate immediately if compromise is suspected.

Design Decision

[!NOTE] The Allow macro execution - Trusted Publisher policy will be created and targeted to a specific device set using Intune policy to allow only macros signed by a Trusted Publisher. Members of this policy will be excluded from the All Macros Disabled policy to avoid conflicts with macro blocking policy settings.

Prerequisites

Dependencies

Microsoft Intune enrollment of target devices and management via a directory service (Entra ID) or hybrid Azure AD joined.¹
A separate policy named Macros Enabled for Trusted Publishers to allow macros signed by trusted publishers; a separate policy must be created and imported via Intune.¹
A dedicated group named Allow macro execution - Trusted Publisher to contain users allowed to run signed macros; this group must be excluded from the All Macros Disabled policy to avoid conflicts.¹
A locally stored policy file for Macros Enabled for Trusted Publishers (Macros Enabled for Trusted Publishers.json); Import via Intune: Devices > Windows > Configuration profiles > Create > Import Policy; assign to the appropriate group (for example, Allow macro execution - Trusted Publisher) after import.¹
A process to deploy and manage Trusted Publisher certificates in the Trusted Publishers certificate store via Intune; deploy required Trusted Publisher certificates.¹
Macros must be digitally signed with the V3 signature scheme.¹
Regular verification of Trusted Publishers:
- Validate the list of Trusted Publisher certificates on devices; ensure certificates are still required, within validity, and have a valid chain of trust; remove expired or unneeded certificates.¹
Microsoft Defender for Endpoint (MDE) onboarding for Intune-managed devices:
- Onboard endpoints to MDE; Configure a Windows Configuration Profile with type Template > Defender for Endpoint; set Telemetry to Enabled; assign to a deployment group; Onboarding to MDE enables logging of macro execution events. The integration between Intune and MDE enables easy onboarding into MDE for Intune managed devices.¹
Attack Surface Reduction (ASR) rules enabled on devices:
- Enable ASR rules including blocking Win32 API calls from Office macros; ASR rules logging supports detection and response; Onboard devices into MDE to capture ASR events.²³
Administrators should validate Trusted Publisher certificates annually or more frequently; remove expired certificates and associated policies as needed.¹

Implementation Steps

Separate policy for Trusted Publisher macro execution

Create a group that contains users that can run Office macros if they’re signed by a Trusted Publisher. This group is referred to as: Allow macro execution - Trusted Publisher and must be excluded from other Office macro policies to avoid conflicts.¹
Save the All Macros Disabled policy to your local device. (The policy to block macros is not included in the Policy Set; this provides the ability to selectively exempt groups of users.)¹
In the Microsoft Intune console, navigate to Devices > Windows > Configuration profiles > Create > Import Policy.¹
Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 2.¹
Select Save.¹
Assign the All Macros Disabled policy to All Office Users (that was created at the start).¹
Exclude the Allow macro execution - Trusted Publisher group (from step 1) to avoid conflicts with the block policy.¹
Save the Macros Enabled for Trusted Publishers policy to your local device. (This policy allows macros signed by Trusted Publishers to run for the exempt group.)¹
In the Microsoft Intune console, navigate to Devices > Windows > Configuration profiles > Create > Import Policy, and import the policy saved in step 8.¹
Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 8.¹
Select Save.¹
Assign the policy to the group: Allow macro execution - Trusted Publisher.¹
Create a new policy for each Trusted Publisher, and deploy any Trusted Publishers certificate policies to the same group: Allow macro execution – Trusted Publisher.¹
Note: When signing macros, use the more secure version of the VBS project signature scheme: V3 signature.¹

ASD Blueprint for Microsoft Office hardening provides design guidance for implementing macro hardening and Attack Surface Reduction controls ASD Blueprint: Microsoft Office hardening
ASD Blueprint: Restrict Microsoft Office macros provides practical steps to restrict execution to Trusted Publishers and reduce macro risk ASD Blueprint: Restrict Microsoft Office macros
Macros from the internet are blocked by default in Office explains Microsoft policy to block macros from running in Office files from the Internet Macros from the internet are blocked by default in Office
Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune (v2306) documents baseline Office macro settings and how to configure them in Intune Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune (v2306)
Create Your AppLocker rules explains how to create AppLocker rules for application control and can be used as part of a defense-in-depth WDAC-like approach Create Your AppLocker rules

🛡️ Essential 8 Guide