Microsoft 365 Apps for Business does not support macro policies (GPOs)

[German]This is an unpleasant story, actually a scandal, which I'm putting up for discussion here on the blog. Anyone using Microsoft 365 Apps for Business is in for an unpleasant surprise. Microsoft has pruned the product, so this product does not support macro execution management policies (GPOs, etc.). Only on the Microsoft 365 Enterprise variant provides this functionality.


German blog reader AndiW alerted me to an unsightly issue surrounding Microsoft 365. In mid-January 2023, the following tweet from reader AndiW reached me, picking up on the topic and referencing this tweet.

The statement in the inner tweet is that when you use Microsoft 365 Apps for Business, the Office installation ignores policies (GPOs, etc.), including those that enforce macro security settings. Here's some sorted information.

Microsoft recommends GPOs for macro execution

It is well known that VBA macros are a common way for attackers to gain access to systems to deploy malware and ransomware. Microsoft's solution to improve security in Office is to change the default behavior of Office applications since Summer 2022. Macros in files from the Internet should be blocked in the future.

With this change, the following message will be displayed when users open a file that originates from the Internet, such as an email attachment, and that file contains macros:


Macro warning

This can be wonderfully read in Microsoft's support article Macros from the internet will be blocked by default in Office, updated on January 26, 2023.

When Microsoft marketing strikes

However, in enterprise environments, administrators have the ability to manage macro processing policies via policies. Microsoft is explaining this in the section Use policies to manage how Office handles macros. However, the administrators' jaws should drop at the latest when they take a closer look at the details. I have pulled it out as a screenshot – perhaps this is already well known by administrators.

Microsoft recommends using the group policies in question to manage macro execution. But then the marketing has probably struck. However, those who use Microsoft 365 Apps for Business have bought a pig in a poke – the use of policies is not possible there, according to the "Important" insert. Those who want to manage macros via group policies have to rely on Microsoft 365 Apps for Enterprise.

There is no discernible technical reason there, this is a pure marketing decision (similar to the neutering of GPO support in Windows 10/11 Pro), people should be forced onto Microsoft 365 Apps for Enterprise. This is one of the reasons Microsoft has a sucky reputation (not just with me). The user in question, md, raised legitimate questions in a series of follow-up tweets.

Microsoft 365 Apps for Business questions

Or how do you see it? Is this not a problem in practice, because a) it is not needed, or b) you go straight to Microsoft 365 Apps for Enterprise, because there is no alternative?

Notes: Macros are generally blocked in Office since summer 2022 (7/27/2022) (see Microsoft continues rollout for default disabling of Office VBA macros).

A user wrote on Facebook: This is nothing new. GPOs are already possible since Office 2013 only in the VL versions. All others can be controlled via preferences (hkcu – software -Microsoft – office) instead of policies (hkcu -software – policies …).

Another user wrote: Microsoft 365 Apps Business can be managed via MDM. You can also control the macros there.

And another user told my on Facebook: In general, you might want to say goodbye to thinking about GPO's in the cloud in your head. Modern cloud management and configuration has absolutely NOTHING to do with traditional GPO's from an AD. There are other ways and means to achieve exactly that.

Because the Word app has a cloud connection quite simply. And that will become much more in the future when you see the growing AI. These used to be standalone programs is becoming more and more a cloud extension.  The Business Premium does not pull on Ad environments there would be then rather the standard +EMS E3 which gives me then again the authorization to operate a local configuration manager and I have my management back down in the co-management with Intune.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Office, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *