Disable all Microsoft Office macros globally for all users

Due to popular "locky" and similar malware out there I need to disable macros for all installed Microsoft Office products (Word, Excel...) globally for any user who logs in into a particular server running Windows Server 2012 R2.

How to do that?

The server is not a domain controller, so I have no Administrative templates available, as suggest some resources I've read.

Thank you!


Solution 1:

It can be done via Group Policy with appropiate Administrative Templates present. This HOWTO is for machines with no GPO central store [1]. You might use the classic templates (ADM) [2], or the new ones (ADMX). I recommend ADMX, not only because it is newer and not obsolete, but mainly because it allows you to browse All Settings in the GPOs at once.

  1. Download the templates: go to https://www.microsoft.com/en-us/download and search for "Office 20xx Administrative Template files", where xx is your Office version installed.
  2. Extract the files to some temporary location (it is usually a self-extracting exe, or msi package). Here is how to extract files from msi [3].
  3. Copy all the ADMX files into %systemroot%\PolicyDefinitions\ and included language files into %systemroot%\PolicyDefinitions\<appropiate_language_directory> (probably en-US)
  4. Set-up the GPOs:
    1. under User Configuration -> Administrative Templates -> Microsoft Office 20xx -> Security Settings -> enable the Disable VBA for Office applications.
    2. [optional] you might also want to enable the Disable All ActiveX option in the same branch.
    3. go to User Configuration -> Administrative Templates -> Microsoft 20xx -> Options -> Security -> Trust Center -> enable the VBA Macro Notification Settings as "Disable all without notification"

hint: Group Policy Editor is "gpedit.msc"

[1] https://support.microsoft.com/en-us/help/929841/how-to-create-the-central-store-for-group-policy-administrative-template-files-in-windows-vista

[2] https://superuser.com/a/1073064/440382

[3] How do I extract files from an MSI package?

Solution 2:

It can be done via Group Policy with appropiate Administrative Templates installed/imported.

  1. Download the templates: go to https://www.microsoft.com/en-us/download and search for "Office 20xx Administrative Template files", where xx is your Office version installed.
  2. Import them to Group Policy Editor: right click on User Configuration -> Administrative Templates and click "Add/Remove Templates" -> Add -> browse to the folder you saved the templates to (browse to the ADM folder) -> OK
  3. Set it all up:
    1. under User Configuration -> Administrative Templates -> Clasic Administrative Templates (ADM) -> Microsoft Office 20xx -> Security Settings -> enable the Disable VBA for Office applications
    2. in the same branch select all product you want to have macros disabled (typically Word, Excel and Powerpoint) and go to Microsoft 20xx -> Options -> Security -> Trust Center -> enable the VBA Macro Notification Settings as "Disable all with notification"

hint: Group Policy Editor is "gpedit.msc"