30 July 2022

Inside the Office VBA/Mark of the Web changes

Peter Deegan Microsoft 365, Microsoft Office, Microsoft Powerpoint, Microsoft Word, Office 365

Look inside the changes Microsoft made to the Office VBA blocking / Mark of the Web documentation

More VBA macro blocks coming to Office, details
Microsoft reverses Office macro blocks without telling customers
Blocking Office VBA macros resumes but why?

Which made us wonder what’s changed in the documentation. Surely, it’s a big revision to have caused the suspension of a major new feature and after five months of public beta testing.

Not so much ….

In our view, the documentation changes didn’t justify the suspension of the whole security feature, with all the trouble and cost that caused to Office customers across the world.

Microsoft could have updated the web pages and explained the MOTW feature better as well as publicly answering questions from users and admins. All while leaving the MOTW/VBA block operating for all customers.

The whole thing seems like an overreaction by Microsoft to ‘feedback’. By suspending the MOTW block in the way it did, Microsoft considered its own needs and had little regard for the consequences on paying customers.

What’s changed in the MOTW documentation

They go way beyond Microsoft’s two examples “ what to do if your users have files on SharePoint or files on a network share. ”

Whole sections have been added (about a thousand words), mostly a new table explaining how to bypass the VBA block for documents you want to open.

Group Policy information is still there but moved to much lower down the document.

The ‘Mark of the Web’ Office 365 for Windows blocks begins rolling out to Current Channel users with version 2206 from 27 July 2022.

Here’s some of the additions to the administrators documentation Macros from the internet will be blocked by default in Office that caught our eye.

Group Policies in Enterprise plans, not Business

This sentence isn’t new but worth more prominence than Microsoft gives it, with our bold text.

“Important
You can only use policies if you’re using Microsoft 365 Apps for enterprise. Policies aren’t available for Microsoft 365 Apps for business.

This sentence has been added, presumably to explain some customer complaints.

“In some cases, users will also see the message if the file is from a location within your intranet that’s not identified as being trusted.
For example, if users are accessing files on a network share by using the share’s IP address.”

Prepare for this change

This paragraph was enhanced, here’s how it reads now, followed by an image showing the edits from the 6 July version.

“Prepare for this change

“To prepare for this change, we recommend that you work with the business units in your organization that use macros in Office files that are opened from locations such as intranet network shares or intranet websites. You’ll want to identify those macros and determine what to keep using those macros. You’ll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher. “

How Office determines whether to run macros in files from the internet

An important clarification sentence has been added:

“Also, if a file is located on a network share that isn’t in the Local intranet zone or isn’t a trusted site, macros will be blocked in that file.”

Steps to take to allow VBA macros to run in files that you trust

This section now has a table to better explain how to bypass the MOTW block and fully open an Office document with macro.

“Steps to take to allow VBA macros to run in files that you trust.

“How you allow VBA macros to run in files that you trust depends on where those files are located or the type of file. The following table list different common scenarios and possible approaches to take to unblock VBA macros and allow them to run. You don’t have to do all possible approaches for a given scenario. In the cases where we have listed multiple approaches, pick the one that best suits your organization.”

Scenario	Possible approaches to take
Individual files	• Select the Unblock checkbox on the General tab of the Properties dialog for the file • Use the Unblock-File cmdlet in PowerShell For more information, see Remove Mark of the Web from a file.
Files centrally located on a network share or trusted website	Unblock the file using an approach listed under “Individual files.” If there isn’t an Unblock checkbox and you want to trust all files in that network location: • Designate the location as a Trusted site • Add the location to the Local intranet zone For more information, see Files centrally located on a network share or trusted website.
Files stored on OneDrive or SharePoint, including a site used by a Teams channel	• Have users directly open the file by using the Open in Desktop App option • If users download the file locally before opening it, remove Mark of the Web from the local copy of the file (see the approaches under “Individual files”) • Designate the location as a Trusted site For more information, see Files on OneDrive or SharePoint.
Macro-enabled template files for Word, PowerPoint, and Excel	If the template file is stored on the user’s device: • Remove Mark of the Web from the template file (see the approaches under “Individual files”) • Save the template file to a Trusted Location If the template file is stored on a network location: • Use a digital signature and trust the publisher • Trust the template file (see the approaches under “Files centrally located on a network share or trusted website”) For more information, see Macro-enabled template files for Word, PowerPoint, and Excel.
Macro-enabled add-in files for PowerPoint	• Remove Mark of the Web from the Add-in file • Use a digital signature and trust the publisher • Save the Add-in file to a Trusted Location For more information, see Macro-enabled add-in files for PowerPoint and Excel.
Macro-enabled add-in files for Excel	• Remove Mark of the Web from the Add-in file • Save the Add-in file to a Trusted Location For more information, see Macro-enabled add-in files for PowerPoint and Excel.
Groups of files saved to folders on the user’s device	Designate the folder a Trusted Location For more information, see Trusted Locations.