Information
This policy setting specifies the behavior for both the VBA and Excel 4.0 (XLM) runtime scan features. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel.
The VBA and XLM runtimes report to an antivirus system certain high-risk code behaviors the macro is about to execute. This allows the antivirus system to indicate whether or not the macro behavior is malicious. If the behavior is determined to be malicious, the Office application closes the session and the antivirus system can quarantine the file. If the behavior is non-malicious, the macro execution proceeds.
NOTE: Macros can only be scanned if the anti-virus software registers as an Antimalware Scan Interface (AMSI) provider on the device.
NOTE#2: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise.
The recommended state for this setting is: Enabled: Enable for all documents
Rationale:
Macros may contain harmful functions designed to inject malicious software into a system, escalate privilege, and be a first entry point in the attack chain. By utilizing the AMSI interface on supporting anti-virus applications, defenders will increase the possibility that malicious software is identified and thwarted before it executes.
Impact:
When macro runtime scanning is enabled, the runtime performance of affected VBA projects and XLM sheets may be reduced.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Enable for all documents:
User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Macro Runtime Scan Scope
Default Value:
Not configured. (Equivalent of Enabled: Enable for low trust files)