Information
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
The recommended state for this setting is: Enabled: Disable all except digitally signed macros.
Rationale:
By default, when a user opens a file that contains VBA macros, the macros are disabled, and a warning is displayed on the Trust Bar that the macro has been disabled. Users may then enable these macros by clicking options on the Trust Bar and selecting to enable the macro which could execute malicious code and cause a virus to load undetected.
Note: Microsoft Office stores certificates for trusted publishers in the trusted publisher store. Earlier versions of Microsoft Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. Microsoft Office still reads trusted publisher certificate information from the Office trusted publisher store, but it does not write information to this store.
Therefore, if a list of trusted publishers is created in a previous version of Microsoft Office and is upgraded, the trusted publisher list will still be recognized. However, any trusted publisher certificates that are added to the list will be stored in the trusted publisher store.
Impact:
This configuration causes documents and templates that contain unsigned macros to lose all functionality supplied by the macro. To prevent this loss of functionality, users can install the macro in a trusted location, unless the Disable all trusted locations setting is configured to Enabled, which will not allow the user to add to the trusted location.
Warning: With the Disable all except digitally signed macros option selected, users will not be able to open unsigned Access databases.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Disable all except digitally signed macros.
User Configuration\Administrative Templates\Microsoft Word 2016\Word Options\Security\Trust Center\VBA Macro Notification Settings
Default Value:
Enabled: Disable all with notification (Trust Bar displays warning but users can Enable Content regardless of macro signatures.)