Macro Notification Settings - vbarequirelmtrustedpublisher

Information

This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros or Excel 4.0 (XLM) macros are present. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel. \n If you enable this policy setting, you can choose from four options to determine how the specified applications will warn the user about VBA macros. There is also a check box that determines how Excel will warn the user about XLM macros. \n For VBA macros, these are your choices: \n - Disable VBA macros without notification: The application disables VBA macros, whether signed or unsigned, and does not notify users. \n - Disable VBA macros with notification: The application displays the Trust Bar for VBA macros, whether signed or unsigned. This option enforces the default configuration in Office. \n - Disable VBA macros except digitally signed macros: The application displays the Trust Bar for digitally signed macros, allowing users to enable them or leave them disabled. Any unsigned macros are disabled, and users are not notified. \n - Enable VBA macros (not recommended): VBA macros are enabled, whether signed or unsigned. This option can significantly reduce security by allowing dangerous code to run undetected. \n If you disable or dont configure this policy setting, 'Disable VBA macros with notification' will be the default setting, and 'Enable Excel 4.0 macros when VBA macros are enabled' will be checked. When users open files in the specified applications that contain VBA or XLM macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking 'Enable Content' on the Trust Bar. \n The following section only applies to Excel 4.0 (XLM) macros: \n If you select the 'Enable Excel 4.0 macros when VBA macros are enabled' check box, the setting selected for VBA macros will also apply to XLM macros. If this check box is not selected, all XLM macros are disabled and users are not notified. \n XLM macros cannot be signed and will be disabled if 'Disable VBA macros except digitally signed macros' is chosen. \n If you have enabled the 'Prevent Excel from running XLM macros' policy setting, XLM macros cannot be run in Excel regardless of how you have configured this policy setting. \n The following section only applies to VBA macros: \n If you select the 'Require macros to be signed by a trusted publisher' check box, users opening files with digitally signed macros but not by a Trusted Publisher will receive a notification that macros are blocked from running. \n And there are two additional check boxes that we recommend that you select to help improve security. \n - Block certificates from trusted publishers that are installed in the current user certificate store \n - Require Extended Key Usage (EKU) for certificates from trusted publishers \n Note: These two check boxes only apply if you have selected the 'Require macros to be signed by a trusted publisher' check box. \n Note: The three check boxes about trusted publishers only apply to Version 2012 and later of Office and Visio. The 'Enable Excel 4.0 macros when VBA macros are enabled' check box only applies to Version 2111 and later of Office. None of the check boxes apply to Office 2016 or Office 2019. \n If you select the 'Block certificates from trusted publishers that are installed in the local machine certificate store' check box, macros wont run if the certificate from the trusted publisher is installed in the current user certificate store. The certificate must be installed in the local machine certificate store for the macro to run. Only accounts with administrator access to the computer can install a certificate in the local machine certificate store. \n If you select the 'Require Extended Key Usage (EKU) for certificates from trusted publishers' check box, the EKU must include 'Code Signing' as one of the uses of the certificate. \n Important: If 'Disable all except digitally signed macros' is selected, users will not be able to open unsigned Access databases. \n Also, note that Microsoft Office stores certificates for trusted publishers in the Internet Explorer trusted publisher store. Earlier versions of Microsoft Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. Microsoft Office still reads trusted publisher certificate information from the Office trusted publisher store, but it does not write information to this store. \n Therefore, if you created a list of trusted publishers in a previous version of Microsoft Office and you upgrade to Office, your trusted publisher list will still be recognized. However, any trusted publisher certificates that you add to the list will be stored in the Internet Explorer trusted publisher store.

Solution

Policy Path: Microsoft Excel 2016\Excel Options\Security\Trust Center
Policy Setting Name: Macro Notification Settings

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-review-for-m365-apps-for-enterprise-v2312/ba-p/4009591

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13(4)

Plugin: Windows

Control ID: 0d2fbebb4fa1e3542db1ab4d138c316cf4eeee82ced610dd2f7ebc7c244b8dec