🎯 Purpose
✅ Allow Microsoft Office macros only when they are digitally signed and trusted, meeting Essential Eight – Macro Controls (Maturity Level 2) requirements.
➡️ This enables legitimate business macros while blocking all untrusted or unsafe macro execution paths.
👥 Who is affected
✅ Users: Members of the assigned (macro‑approved) group
🚫 Exclusions: None within this policy (this group is excluded from the “All Macros Disabled” baseline)
➡️ Only approved users can run macros, and only under strict trust conditions.
☁️ What access is protected
✅ Applications: Word, Excel, PowerPoint, Outlook, Access, Publisher, Visio, Project
✅ Platform: Windows (Microsoft 365 Apps for Enterprise)
➡️ Macro execution across Office desktop applications is tightly controlled.
🔐 How macros are enforced
✅ Macros can run only if digitally signed by a trusted publisher
✅ Macros from the internet are blocked
✅ Trusted locations are disabled (local and network)
✅ Trusted documents are disabled (including network‑based documents)
✅ Access to the VBA project object model is blocked
✅ Automation security is enforced to prevent COM/script abuse
✅ Runtime antivirus scanning is enforced for macro execution
✅ UI elements that allow “Enable Content” or bypass prompts are removed
➡️ Users cannot override, bypass, or self‑approve macro execution.
ℹ️ Note
This policy is designed for teams that require controlled macro usage (e.g. finance, BI, automation).
It operates alongside a separate “All Macros Disabled” policy, which enforces Maturity Level 3 for all other users.
⚙️ What this policy does NOT allow
🚫 Unsigned or untrusted macros
🚫 Macros from internet‑sourced files
🚫 Trusted locations or trusted documents
🚫 User prompts or click‑through bypass options
🚫 Programmatic modification of VBA projects
➡️ These restrictions are intentional and required for Maturity Level 2.
🟢 Policy status
✅ Enabled
✅ Actively enforcing signed‑macro allow‑listing
✅ Applied via a dedicated approved group
📘 Essential Eight Alignment
✅ Meets Essential Eight – Macro Controls (Maturity Level 2)
✅ Only vetted, trusted macros are permitted
✅ User override and trust‑based bypass paths are removed
ℹ️ Full macro disablement for non‑approved users is enforced separately under Maturity Level 3.
📘 Practical Interpretation (Executive‑Friendly)
This configuration policy ensures that:
✅ Only approved users can run macros
✅ Only trusted, signed macros are allowed to execute
✅ Common phishing and malware macro techniques are blocked
This provides a controlled macro‑allowlist model aligned with Essential Eight Maturity Level 2, while preserving critical business workflows and maintaining a strong security posture.