I was trolling through the readme">Plan security settings for VBA macros in Office 2016
Also, and more importantly, there are no corresponding updates to the Office 2013 ADMX files, so you wont be seeing any new settings in your group policy screen for Office 2013.
You can (and should) put these macro limit controls in for Office 2016, but as far as I can see, thats an entirely different branch in both Group Policy and in the Registry. Office 2013 apps wont read Office 2016 settings, and vice versa. So the Office 2013 settings you had 30 days ago are still the only ones that are easy to get to.
Its great to see where Microsoft is going with this, but I think we">Disable all without notification: If you dont use macros in your organization, disable them and DONT give your users the ability to bypass this setting.
or
Disable all except digitally signed macros: This is a more complex route - youll need to sign all docs with macros in them. This isnt such a big deal really though - most organizations with macros have either static code, or a small number of macros maintained by a small number of people. In addition, most of us have private CA servers now for our wireless infrastructure.
So to go forward with signed macros, whats required in advance is some training for your 2 or 3 macro authors on how to sign their code (or do it for them if changes are very seldom).
Office 2016 has these settings, as well as Block Macros from running in Office files from the Internet. This one is essentially the easy button that will shut down lots of the ransomware infections were seeing these days.
Im waiting with anticipation for this same easy button in GPO for Office 2013 to match this update (and Office 2016)! If it doesnt come, I might write one and post it here (I really hope it doesnt come to that though).
===============
Rob VandenBrink
Compugen
