Disable all Microsoft Office macros globally for all users
Due to popular "locky" and similar malware out there I need to disable macros for all installed Microsoft Office products (Word, Excel...) globally for any user who logs in into a particular server running Windows Server 2012 R2.
How to do that?
The server is not a domain controller, so I have no Administrative templates available, as suggest some resources I've read.
Thank you!
Solution 1:
It can be done via Group Policy with appropiate Administrative Templates present. This HOWTO is for machines with no GPO central store [1]. You might use the classic templates (ADM) [2], or the new ones (ADMX). I recommend ADMX, not only because it is newer and not obsolete, but mainly because it allows you to browse All Settings
in the GPOs at once.
- Download the templates: go to https://www.microsoft.com/en-us/download and search for "Office 20xx Administrative Template files", where xx is your Office version installed.
- Extract the files to some temporary location (it is usually a self-extracting exe, or msi package). Here is how to extract files from msi [3].
- Copy all the ADMX files into
%systemroot%\PolicyDefinitions\
and included language files into%systemroot%\PolicyDefinitions\<appropiate_language_directory>
(probablyen-US
) - Set-up the GPOs:
- under User Configuration -> Administrative Templates -> Microsoft Office 20xx -> Security Settings -> enable the Disable VBA for Office applications.
- [optional] you might also want to enable the Disable All ActiveX option in the same branch.
- go to User Configuration -> Administrative Templates -> Microsoft 20xx -> Options -> Security -> Trust Center -> enable the VBA Macro Notification Settings as "Disable all without notification"
hint: Group Policy Editor is "gpedit.msc"
[1] https://support.microsoft.com/en-us/help/929841/how-to-create-the-central-store-for-group-policy-administrative-template-files-in-windows-vista
[2] https://superuser.com/a/1073064/440382
[3] How do I extract files from an MSI package?
Solution 2:
It can be done via Group Policy with appropiate Administrative Templates installed/imported.
- Download the templates: go to https://www.microsoft.com/en-us/download and search for "Office 20xx Administrative Template files", where xx is your Office version installed.
- Import them to Group Policy Editor: right click on User Configuration -> Administrative Templates and click "Add/Remove Templates" -> Add -> browse to the folder you saved the templates to (browse to the ADM folder) -> OK
- Set it all up:
- under User Configuration -> Administrative Templates -> Clasic Administrative Templates (ADM) -> Microsoft Office 20xx -> Security Settings -> enable the Disable VBA for Office applications
- in the same branch select all product you want to have macros disabled (typically Word, Excel and Powerpoint) and go to Microsoft 20xx -> Options -> Security -> Trust Center -> enable the VBA Macro Notification Settings as "Disable all with notification"
hint: Group Policy Editor is "gpedit.msc"