Disable Office Macros

What the Office Macro Blocker does

This Automox Worklet™ configures Microsoft Office 2016 to block macro execution in documents downloaded from the internet. Macros embedded in Word documents, Excel spreadsheets, and PowerPoint presentations represent a primary vector for malware delivery. The Worklet sets the blockcontentexecutionfrominternet registry value for each Office application.

The Worklet applies settings at the user profile level rather than the machine level. It iterates through all user profiles on the endpoint by enumerating Security Identifiers (SIDs) in the ProfileList registry key. For each profile, it loads the user's registry hive and creates the necessary security policy entries.

The Worklet examines registry keys including HKLM:\SOFTWARE\Microsoft\Windows. SID) $($Item.UserHive) | Out-Nul", "Get-ItemProperty", and "Set-ItemProperty".

The configuration targets Office 2016 (version 16.0) security policies under HKEY_USERS\{SID}\Software\Policies\Microsoft\Office\16.0\{Application}\Security. This approach provides comprehensive protection across all users who log into the endpoint, including users whose profiles were created before the Worklet ran.

Why block Office macros from internet downloads

Macro-enabled malware remains the top initial access vector for ransomware attacks. Attackers embed malicious Visual Basic for Applications (VBA) code in Word documents, Excel spreadsheets, and PowerPoint files delivered through phishing emails. Users who click "Enable Content" unknowingly execute payload downloaders that install ransomware, banking trojans, or credential stealers.

Use this Worklet to stop Emotet, TrickBot, Qakbot, and similar malware families that depend on Office macros for initial compromise. These threat actors craft convincing phishing lures with fake invoices, shipping notifications, or legal documents that trick users into enabling macros.

The policy targets only internet-downloaded files identified by the Mark of the Web (MOTW) flag. Legitimate macro-enabled documents from internal file shares, SharePoint sites, or locally created files remain functional. Your users retain productivity while blocking the primary phishing attack vector.

Security frameworks including CIS Microsoft Office Benchmark 1.1.1 and NIST Cybersecurity Framework recommend blocking internet macros. This Worklet implements the blockcontentexecutionfrominternet registry policy across all user profiles to maintain consistent protection.

How Office macro blocking works

1. Evaluation phase: The Worklet always returns non-compliant (exit code 1) to force remediation on every run. This approach treats the setting as a continuous enforcement rather than a one-time configuration, which helps when new user profiles are created on the endpoint.

2. Remediation phase: The Worklet enumerates all user SIDs from HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and loads each user's ntuser.dat registry hive. For each user, it creates registry keys under Software\Policies\Microsoft\Office\16.0\ for Word, Excel, and PowerPoint Security folders, then sets blockcontentexecutionfrominternet to 1. After processing, it unloads any manually loaded registry hives.

Office macro blocking requirements

• Microsoft Office 2016 (version 16.0) installed

• Windows 7 or later with PowerShell 2.0+

• Administrative privileges to access HKEY_USERS registry hives

• User profiles to configure (at least one user profile must exist)

Expected macro blocking behavior after configuration

After remediation, users cannot execute macros in internet-downloaded Office files regardless of clicking "Enable Content." When opening a document with the Mark of the Web attribute, Office displays a red security banner stating "BLOCKED CONTENT" with no bypass option. This protects users from phishing attacks that rely on social engineering to enable malicious macros.

Documents from internal file shares, SharePoint Online, or locally created on the endpoint continue to support macro execution. Users working with legitimate automation, mail merge templates, or custom business workflows experience no disruption.

Verify configuration by checking HKEY_USERS\{SID}\Software\Policies\Microsoft\Office\16.0\Word\Security\blockcontentexecutionfrominternet equals 1 for each user profile. Test by downloading a macro-enabled document from the internet and confirming Office blocks execution without an enable option.

How to validate disable office macros changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable office macros.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Get-ItemProperty, Where-Object, Select-Object, then rerun evaluation for compliance.