Changes to VBA Macro Security in Microsoft 365

You can do some really cool things in Microsoft Office with just a few lines of Visual Basic for Applications (VBA) – from creating your own custom formula in Excel to correcting branded content in PowerPoint to merging address data for a mail campaign in Word. And sometimes you need to share that VBA solution with colleagues and clients, via the Internet. A change to VBA security that Microsoft rolled out at the end of March 2022 tweaks the process required by Windows users to gain access to this active content.

Why did they make this change?

Prior to this change, if you received a file from the Internet via an email or a website download link, you’d be explicitly asked to Enable Content, assuming you trusted whoever was providing you with the file. That appeared in the message bar below the ribbon when you opened the file, like this:

Microsoft observed that most users automatically trusted whoever was sending the file and sometimes dubious techniques were used by naughty people trying to trick you into trusting them. It was considered too easy for recipients of malicious content to click that magic Enable Content button and get themselves into hot water.

What happens now then?

Several aspects changed in the user experience when opening macro-enabled content on Windows PCs. Firstly, the message bar has changed from yellow to pink to indicate a higher level of importance. Secondly, The easy-to-access Enable Content button has been replaced with a Learn More button, which simply takes you to this Microsoft article and does not enable the macro content.

That means you have to go through extra hoops to activate the macro-enabled functionality.

What hoops?

When you receive a file from the Internet via an email or a browser download, that file has a special attribute added to it by Windows called the MOTW. It doesn’t mean Match Of The Week for all you sports fans, but Mark Of The Web. You can see it easily as follows:

1. Run Windows File Explorer
2. Locate your macro-enabled file

Right-click the file and then select Properties. The MOTW attribute is shown by default as an unchecked Unblock checkbox in the Security item at the bottom of the General tab:

By explicitly checking the Unblock check box, you’ll be able to open your prized macro-enabled content and access the additional functionality enabled by the VBA code inside it.

What does it mean for me?

Most of the Microsoft Office files you receive will be standard PowerPoint, Excel and Word files in their respective formats of pptx, xlsx and docx. In some cases, files will have automation features built into them, often custom-designed for your specific workflows. These files have the letter m as their suffix i.e. pptm, xlsm, docm. Assuming you trust the provider, you will either have to have them saved to a Trusted Location within your organisation or check the MOTW Unblock checkbox before you can use those automation features.

If you have a BrightCarbon software product, it is most likely an add-in. Microsoft have stated that add-ins are not affected by this change ⁽¹⁾. However, the delivery of our in-file automation solution ShowMaker may be affected – your BrightCarbon contact will be able to talk you through accessing its features.

Do digital signatures help?

A digital signature is something a software publisher can use to certify that the VBA code received by you has been unaltered since it left that publisher. For example, BrightCarbon digitally sign all of our automation solutions whether they’re a macro-enabled file or an add-in. By signing a file, the old and new message bar experiences can be bypassed once the publisher has been trusted, as alluded to in step 3 of this security flowchart from Microsoft:

In what version of Microsoft Office did this change take place?

That’s a tricky question as Microsoft didn’t include it in their public release notes but it’s around the beta channel version 2205, build 15130. It may also have been implemented in the annual and semi-annual channels that get published after March 2022.

Where can I find more information?

That’s great question and fortunately for you, Microsoft have published several articles aimed at explaining this change to various audiences:

General blog article announcing the change

The in-app “Learn More” article for users

A technical article for IT administrators

Information on Trusted Locations

Looking to automate PowerPoint with a custom solution?

Check out our PowerPoint automation service offering and get in touch to discuss your needs.

1) Although Microsoft have stated that this change does not affect add-ins we’ve seen a few cases where this isn’t true. Many add-ins are installed on Windows in this Microsoft-recommended folder:

C:\Users\Username\AppData\Roaming\Microsoft\AddIns

This folder is a Trusted Location by default. Some add-in publishers, including BrightCarbon, install their add-ins in a subfolder to make it clear who’s files belong to who. Microsoft Office considers subfolders of the above trusted folder to be untrusted by default! You can change this in the respective Office app by clicking  File / Options / Trust Center / Trust Center Settings / Trusted Locations and selecting the location that ends with Addins. Then click the Modify button followed by the Subfolders checkbox in step 4 below.