🎯 Purpose
✅ Disable all Microsoft Office VBA macros by default across desktop Office applications, meeting Essential Eight – Macro Controls (Maturity Level 3) requirements.
➡️ This prevents macro‑based malware, ransomware, and phishing payloads from executing.
👥 Who is affected
✅ Users: Members of the assigned group
🚫 Exclusions: One excluded group (e.g. approved developers or automation accounts)
➡️ Macros are blocked for all targeted users unless explicitly exempted.
☁️ What access is protected
✅ Applications: Word, Excel, PowerPoint, Outlook, Access, Publisher, Visio, Project
✅ Platform: Windows (Microsoft 365 Apps for Enterprise)
➡️ Macro execution is blocked across all major Office desktop applications.
🔐 How macros are enforced
✅ All VBA macros are disabled with no user prompts
✅ Automation security is set to the strictest level
✅ Trusted locations are disabled (including network locations)
✅ Trusted documents are disabled (including network‑based documents)
✅ Access to the VBA project object model is blocked
➡️ There is no “Enable Content” option and no user bypass path.
ℹ️ Note
This policy applies to Microsoft 365 Apps for Enterprise (E3/E5).
Controlled exclusions allow legitimate macro usage without weakening the baseline security posture.
⚙️ What this policy does NOT allow
🚫 Trusted locations (local or network)
🚫 Trusted documents or “remember trust” prompts
🚫 VBA project model access
🚫 User‑initiated macro enablement
➡️ These restrictions are intentional and required for Maturity Level 3.
🟢 Policy status
✅ Enabled
✅ Actively enforcing macro blocking
✅ Assigned via an inclusion group with a defined exclusion group
📘 Essential Eight Alignment
✅ Meets Essential Eight – Macro Controls (Maturity Level 3)
✅ Macros are disabled by default across all Office applications
✅ No user override or trust‑based bypass is possible
ℹ️ Controlled exceptions can be managed via the excluded group where justified.
📘 Practical Interpretation (Executive‑Friendly)
This configuration policy ensures that:
✅ Office macros cannot run by default
✅ Common phishing and ransomware attack methods are blocked
✅ Only explicitly approved users can be exempted when required
This delivers maximum macro protection in line with Essential Eight Maturity Level 3, while still supporting legitimate business exceptions through controlled group exclusions.