Skip to content

Microsoft blocks Excel XLL add-ins – at last!

XLL addins for Excel coming from the Internet will be blocked by default as a security measure. Here’s how it works and how to enable XLL files and bypass the new block. You can implement a similar block now in other Excel versions without waiting for Microsoft’s late change.

Excel can use .XLL files to provide additional code for a workbook. Some Excel extras will include XLL’s but unfortunately hackers and criminals can also use XLL files to infect a computer. Now Excel will block Internet sourced XLL files by default, starting with Insiders/Preview versions of Excel 365 in March 2023.

The previously announced change in the default is now appearing in Insiders releases of Excel 365 for Windows along with typical hype from Microsoft saying that “We’re adding another layer of security to Excel for Windows!” which isn’t strictly true since the ‘extra layer’ is already in Excel.

As we predicted, Microsoft is using their “Mark of the Web” system to know if an XLL is from the Internet or not.

How the Excel XLL block will appear

When loading an Excel Add-in or XLL file, Excel will check if the file came from the Internet. If it does, the XLL won’t load and there’s no direct option to allow loading.

Source: Microsoft

There’s no ‘Enable’ or ‘Allow’ button, just a ‘Leave this add-in disabled’ button or the X top-right to close the message box. Let’s hope there’s been better testing of this compared to the Publisher ‘zero-day’ security bug which allowed macros to run.

Unblock an XLL and let it run in Excel

There are a few options for letting an Internet sourced XLL add-in to run in Excel. ONLY do this if you’re absolutely confident that the source is legitimate and not carrying any viruses.

OK individual XLL files

For individual Excel files, open up File Properties in Windows and choose the ‘Unblock’ option on the General tab.

About VBA macro blocks in Office, details

Trusted Location

By ‘location’, meaning folder on your computer. Go to Excel | File | Options | Trust Center | Trust Center Settings then Trusted Locations in the left column. Add a new folder path for ‘safe’ Excel files.

Trusted Publisher

Professional Excel add-ins should be digitally signed by the maker (publisher). Signed Excel files confirm that the code came from the right organization, not an impersonator.

Go to Excel | File | Options | Trust Center | Trust Center Settings then Trusted Publishers in the left column to see what software makers are already trusted.

Adding a Trusted Publisher is done when the code is loaded, there’s an option to “Trust all documents from this publisher”.

Trusted Sites

Make the download source ‘Trusted’ in Windows (not Office or Excel). In Windows search for ‘Internet Options’ then go to the Security tab, Trusted Sites and finally the Sites button. Add a Trusted Site to the list.

Block XLL now

There’s no need to wait for Microsoft to catch up, it’s possible to block Excel add-ins like XLL now in any modern Excel for Windows.  Go to File | Options | Trust Center | File Block Settings then scroll down to “Excel Add-in Files”.

Click the ‘Open’ check box then verify the ‘Open behavior’, the default and best choice is “Open selected file types in Protected View”.

That choice will prompt you if there’s an attempt to install any XLL file, so you can decide if it’s OK or not.  XLL files can be a legitimate and necessary part of an Excel enhancement or extra.

Who gets it?

Blocking Internet sourced XLL files is appearing in Excel 365 for Windows, Insiders releases from v2302 build 16130.20128 and later.

Microsoft blocks Excel XLL add-ins – at last!
Inside the Office VBA/Mark of the Web changes
Publisher ‘zero-day’ security bug that should not have happened

Excel cells are white or disappearing bug – how to fix
Three new performance boosts for Excel 365
Be careful with Excel 365’s Linked Data Types

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.