Yes, Microsoft Will Still Block VBA Macros by Default

Posted on July 23, 2022 by Paul Thurrott in Microsoft 365, Office with 4 Comments

After a strange bit of back-and-forth, Microsoft announced that it will resume blocking VBA macros in Office by default starting July 27.

“We’re resuming the rollout of this change in Current Channel,” Microsoft’s Kellie Eickmeyer explains in a blog post that was originally published in February but updated this past week. “Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share.”

Microsoft had announced in February that it would start blocking VBA macros obtained from the Internet by default in Office, forcing users to jump through a few hoops to run potentially dangerous code. But it appeared to backtrack earlier this month when it revealed that it was rolling back the change, which had been scheduled for June, because of feedback, presumably from corporate customers.

Security experts howled, explaining that VBA macros are inherently insecure.

“Sad decision,” Google Threat Analysis Group leader Shane Huntley tweeted. “Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts. I always see our main mission in threat intelligence is to drive the changes to protect people.”

But Microsoft never intended to not block the macros: it had rolled back the change to make “some additional changes to enhance usability,” and it said at that time that it was just a temporary thing. “We are fully committed to making the default change for all users.”

And now it has. Users interested in learning about the experience they’ll see when they try to run Internet-obtained VBA macros can refer to the Microsoft Support website. And Microsoft has a separate resource for IT pros as well.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (4)

4 responses to “Yes, Microsoft Will Still Block VBA Macros by Default”

  1. truerock2

    There are dozens of confusing warning messages that pop up for the Windows 10 users at our office. Nobody knows what they mean, and they have to have a notebook that they refer to for various processes, so they know when to ignore the warnings.


    I understand what Microsoft is trying to accomplish - it's just that Microsoft is disorganized about how they worn users about things. The warning messages pop-up in all kinds of different dialog-boxes, banners, etc.


    Regardless, when we turn off security in various things in Microsoft Office to help users, Microsoft doesn't provide a way to do it at the vba macro or document level. You can only turn it off for the entire Microsoft application or for all of Office or for all of Windows. The user has to refer to her notes as to whether the warning message is normal and needs to be ignored within a specific application or process.

    • hrlngrv

      | Microsoft doesn't provide a way to do it at the vba macro or document level


      Yes it does. You can sign macros for in-house models which need to run VBA code. That's workbook-level.

  2. Daekar

    I hope to goodness that there will be some way to sign documents so that they're trusted if the certificate is in the user's store.

  3. blue77star

    In other words they removed a single reason to use Office instead of Libre Office. I dropped this garbage a long time ago in favor of Libre Office.

Leave a Reply