Any way to stop Office creating new macro-enabled documents?

I realise that group policy can be used to stop users from opening macro-enabled Office files such as .docm, .xlsm and .pptm - but what I need is to stop users from being able to create any new ones.  Is that possible?

When users go to Save As, I want the macro-enabled file type (and the macro-enabled template file type) to either be greyed out or removed completely from the list.

We are on Office 2010 SP2, although beginning to plan the migration over to Office 2016.

meirionwylltSenior Desktop EngineerAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

DrTribosConnect With a Mentor Commented:
If a user created a macro they would be able to use it, I think, because it would be trusted.... but, you can purchase a digital signature from the likes of digiCert and when you download it you will be able to add it to the Cert Store (using a tool they provide) and from there you can sign it from the VBA IDE thusly: Tools > Digital Signature > Select the Signature and sign away > Save.  

Or if you want a headache you can create your own Cert.  Or use one of the Community provided Certs.  

NOTE: These are code signing certs and are entirely different from SSL certs for websites.
Ok - I'll bite... Why do you want to do this?

Wouldn't it suffice to just force the following settings?
- Disable All Macros Without Notification
- Disable All Trusted Locations
Roy CoxConnect With a Mentor Group Finance ManagerCommented:
You would also have to prevent the use of xlsb files because they can also support macros. The only way would be to use the suggestion above, although  that can be reversed easily enough.

This new feature may help but you would need to upgrade to Office 2016

Block Macros
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

DrTribosConnect With a Mentor Commented:
@Roy I was at a client site last week and saw that (A) all options for Macro Security were grayed out and macros were set to "Disable All...", but (B) it was still possible for the user to set trusted locations (including on networks) so 'part-A' was kind of useless.

Anyway, the link you provided doesn't seem to address the issue of a user creating their own macros and saving...  perhaps it's just me - the article was a bit too long for my short attention span.

The other thing, I think that if a user creates a document and saves it then that document is automatically 'trusted'.  So, unless I'm mistaken, even with all the macro security settings in the world you can still run it if you are the author and on the same PC that was used to save the document (because it is known as a Trusted Document).

Also worth noting: there are tools available that can bypass ALL macro security, but require the user to open the document from an exe.

But for the OP... why bother?  What is the end goal here?
meirionwylltSenior Desktop EngineerAuthor Commented:
OK, some background here...

Last month we had an infection of a 'Zepto' ransomware virus, which came from a maco-enabled Word document attached to a spam email.  Of course we are looking at tightening up on all aspects of security, AV, anti-spam, firewall, user education, etc, but we are also looking at macros.

On the day that the virus broke, as somewhat of a knee-jerk reaction, we disabled macros across the board for all Office apps on 2500 machines, using Group Policy.  However the phones went red-hot, as users were no longer able to open the genuine macro-enabled documents that they open as part of their jobs.  We had to switch macros back on, because at the time we had had a shitstorm to mop up after.  Now it's time to look at this again, but one thing that's certain is that we have no idea what macro-enabled documents our users use, and what 3rd party apps might stop working as a result of this.

Last week I contacted the users who phoned on the virus day, to see what it was that stopped working in that hour or so that we disabled macros.  There was a range of stuff, from Word docs to Access .ade front-end files, and one 3rd party app which, I presume, exports its data as Word docs.  The reality is that there will be many, many more.  So the end goal is to create a 'can open Word macros' AD group, and the same for Excel and PowerPoint.

But we have a lot to learn before switching that on, to try to figure out what our users need macros for.  I thought a good place to start with this was to stop users from creating any new macros, and wait until they phone us - because most of the time a macro is overkill for what they need, and other times an access database would be more suitable, for collaboration etc.  Using this less intrusive method we could then build a list of users who use macros, so when the switch-on happens, it won't break so many things.
DrTribosConnect With a Mentor Commented:
Ouch!  Well it sounds like you'd understand my adversion to blocking everything... might as well just unplug all the PCs ;-)

Don't worry about the SaveAs aspect.  Let users create their own macros - it you feel the need to protect against that then you have bigger issues than macros.

Do ramp up the macro security (at least require a digital Cert) and perhaps disable all trusted locations.  

BUT Beware... this little utility called WordFree will actually bypass every single macro security setting you have.  You might call it a shitstormbrewing....

Anyway, there are a ton of legitimate uses of Macros and if you take a sensible approach they can still be used.

There are tools available for scanning Macros, the best I've found: and this will look for signs that something bad is happening... but at the same time it could (most likely would generate a few false positives).

Basically I'd suggest:
- prevent downloading of macro enabled files
- block them in emails

But beware, they can be renamed zip and often pass through file blockers... but this requires a somewhat more deliberate action on the part of your users....
meirionwylltSenior Desktop EngineerAuthor Commented:
OK I guess the answer to my original question is a No.

I think I'll just have to deploy the locked down settings to a few teams at a time and see what happens.

As for digitally signing, this is an area that I've been scared away from for some time now, but I think this is the time to tackle it.  All guides I've seen on how to do this are really long-winded.

Do you know of any guides that are simplified?  We have an SSL certification server (Microsoft) on our domain, if that helps at all.

I understand your pain but preventing users from creating macros to make your work easier and theirs harder is rather draconian.   Better to concentrate on education first, then malicious software prevention tools and registry settings that prevent software installation.

One thing that comes to mind is to run the email and internet programs in a virtual partition to add yet another fence between the bad guys and your hard drive and server.  It is a little inconvenient to move files but if that isn't a big part of their job then it won't get in the way.  Then if they trash their virtual computer, you can delete the image and give them a clean one.
Digital certificate is something that you insist on from software products. DigiCert have a click and go Cert that just works if you want to sign your own macros
meirionwylltSenior Desktop EngineerAuthor Commented:
PatHartman - the idea wasn't to blanket block all macros permanently, it was only to do so initially, find out who needs it, then give those people permissions to open/save macros.  95% of our staff don't even know what a macro is, let alone know how to create one, so who why would you want to give everyone permission to something that can be so damaging when they don't need it for their work?
Also, I'd say that our system is pretty well locked down already, but this got through.  We are looking at all aspects of security, but I still need to do something about macros now, as leaving macros as they are is not an option.

DrTribos - could you please elaborate on that?  If an user has created a genuine macro, how do I digitally sign it?

meirionwylltSenior Desktop EngineerAuthor Commented:
OK, I've done a bit of research into code signing digital certs.  Paying for one is not an option for us, especially not a revenues-based expenditure, and especially since we have a Microsoft certification server here that can be used for this.  So, I've created a test cert, which appear on PCs via auto-enrollment, but not on our Citrix published desktop.  But this is going beyond the scope of the original question, so I will open another question about that.  Thanks for your help.  Will close this question shortly.
Roy CoxGroup Finance ManagerCommented:
Pleased to help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.