Announcement

Timeline for VBA Macros Blocked by Default in Microsoft Office

Enterprise customers are next in line to have macros blocked by default in Office files from the web. The policy addresses a real problem, but does it actually help?

Mike Wolfe

3 min read
Timeline for VBA Macros Blocked by Default in Microsoft Office

I wrote previously about Microsoft's plan to block all macros (VBA) in Office files from untrusted locations (e.g., downloaded from the web or attached to emails):

Office to Disable All VBA Code in Files from the Internet
Beginning in April 2022, users will no longer have the option to manually enable VBA code in Office files downloaded from the internet.
No Longer SetMike Wolfe

Microsoft briefly backtracked, before re-implementing the plan.  The change has already been rolled out to users on the Preview and Current channels of Microsoft 365.  This change is headed to Enterprise customers next, with the first Enterprise channels being updated on October 11, 2022.

Updated Timeline

Here's the full timeline from Microsoft:

Update channel Version Date
Current Channel (Preview) Version 2203 Started rolling out on April 12, 2022
Current Channel Version 2206 Started rolling out on July 27, 2022
Monthly Enterprise Channel Version 2208 October 11, 2022
Semi-Annual Enterprise Channel (Preview) Version 2208 October 11, 2022
Semi-Annual Enterprise Channel Version 2208 January 10, 2023

Mark of the Web

As a reminder, Office uses the so-called "mark of the web" to flag files as "potentially unsafe."  For more information about this, check out my articles: Details about the Mark-of-the-Web (MOTW) and Mark of the Web (MOTW) Support Among Zip Utilities.

The Very Real Danger of Malicious VBA...

As much as this new policy is inconvenient, malicious VBA in Office files is a very real and very common threat.  

...And the Unintended Consequences of Misguided Policy

Whether Microsoft's new approach will be better than their old one remains to be seen.  

I have a sneaking suspicion that a bunch of users out there will just make their Downloads directory a "Trusted Location."  Which means that suspicious files they download from the internet in the future won't even come with the old warning before the code starts executing.  Sure, most users probably just clicked through the old yellow warning without even reading it.  But for users who work around the more aggressive VBA blocking scheme by trusting their Downloads folder, they won't even get that visual reminder that the file they are opening might be a problem.

My prediction: within the next twelve months, users won't be allowed to mark their Downloads folder as a trusted location.

To quote Rick Cook:

“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.”

Your move, Universe.

Macros from the internet are blocked by default in Office - Deploy Office
Provides guidance for admins about how Office blocks macros in files from the internet.
Microsoft LearnDHB-MSFT

Referenced articles

Mark-of-the-Web (MOTW) Details
Microsoft announced that VBA will be blocked soon in all files from the web. Let’s dive into how Windows manages this “Mark of the Web.”
No Longer SetMike Wolfe
Mark of the Web (MOTW) Support Among Zip Utilities
What happens to the Mark of the Web when you extract files from a downloaded .zip file? It depends on what you use to do the extraction.
No Longer SetMike Wolfe
Yes, VBA-Enabled Office Docs are a Significant Threat
VBA-enabled documents are commonly used to open the door for more virulent malware.
No Longer SetMike Wolfe

Image by Niek Verlaan from Pixabay

Never miss an article.

Sign up to receive a Sunday morning email with links and recaps of the seven articles published that week.
(I'll never sell your email. Unsubscribe any time.)


Enter your email
Subscribe

All original code samples by Mike Wolfe are licensed under CC BY 4.0