Essential Eight control 3 — configuring Microsoft Office macro settings — has been the subject of ongoing evolution. In 2022, Microsoft began rolling out a significant change: blocking macros from files downloaded from the internet by default across Microsoft 365 Apps. This change has matured through 2024-25 and affects how organisations should approach macro settings compliance.
What Microsoft Changed
Microsoft now blocks VBA macros in Office files obtained from the internet — those with the Mark of the Web (MOTW) attribute set — by default. When a user tries to run such a file, they receive a notification explaining why macros are blocked rather than a security warning that can be bypassed. This is a stronger default than the previous "enable macros?" prompt that many users clicked through.
How This Affects Essential Eight Compliance
The Essential Eight macro settings control requires organisations to configure macro settings to a defined standard. Microsoft's default change moves the starting position closer to compliance for internet-sourced files. However, compliance is not automatic. Local files, files from internal sources, and files shared via cloud storage may not have MOTW set and are not covered by the internet macro block.
What Organisations Still Need to Configure
Centralised macro policy management through Group Policy or Intune — ensuring settings are applied consistently and cannot be overridden by users. An approved list of trusted publishers or locations for macros that are legitimately required for business processes. Monitoring for macro execution outside approved paths. The ASD's guidance on the control has been updated to reflect the Microsoft default change, with adjusted implementation requirements.
If Microsoft now blocks macros by default, do we still need to configure macro settings?
Yes. The Microsoft default is a significant improvement but it is not a substitute for a managed macro policy. Default settings can be changed by users or administrators. Centralised policy management through Group Policy or Intune ensures the settings are applied consistently, cannot be overridden, and are documented — all of which are required to demonstrate maturity level compliance.
