Ensure 'Scan Encrypted Macros in Word Open XML Documents' to Enabled


This policy setting controls whether encrypted macros in Open XML documents be are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may choose one of these options: - Scan encrypted macros: encrypted macros are disabled unless anti-virus software is installed. Encrypted macros are scanned by your anti-virus software when you attempt to open an encrypted workbook that contains macros. - Scan if anti-virus software available: if anti-virus software is installed, scan the encrypted macros first before allowing them to load. If anti-virus software is not available, allow encrypted macros to load. - Load macros without scanning: do not check for anti-virus software and allow macros to be loaded in an encrypted file. If you disable or do not configure this policy setting, the behavior will be similar to the 'Scan encrypted macros' option. The recommended state for this setting is: Enabled. When an Office Open XML document is rights-managed or password protected, any macros that are embedded in the document are encrypted along with the rest of the workbook's contents. By default, these encrypted macros will be disabled unless they are scanned by antivirus software immediately before being loaded. If the default configuration is changed, Word will not require encrypted macros to be scanned before loading. Word will handle them as specified by the Office System macro security settings, which can cause macro viruses to load undetected and lead to data loss or reduced application functionality.


To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\Administrative Templates\Microsoft Word 2016\Word Options\Security\Trust Center\Scan Encrypted Macros in Word Open XML Documents Impact: Enabling this setting enforces the default configuration in Word, and is therefore unlikely to cause usability issues for most users.

See Also


Item Details


References: 800-53|SI-3c.1.

Plugin: Windows

Control ID: ed3fec00568cf58d09346c2d1205ed2bc11cf1e951d019ae86b8707063b0d78c