Restrict usage of Excel 4.0 (XLM) macros with new macro settings control

Great feature!  Thanks for adding it.

.

Do more to publicize it! Especially for "consumers" who are clueless about this issue.  They are the most vulnerable.

.

I hope you decide to make the setting turned off by default for consumers. They are unlikely to be running old spreadsheets that would need access to the old commands.

.

I accidentally found this blog when researching this article:

https://www.pcmag.com/news/excel-4-is-alive-and-well-and-ready-to-attack

.

Please push it out to 2010. I know, it is no longer supported, but it is a "beloved" version and a lot of people are reluctant to let go of it. Giving them this update would be an act of good faith. You can use it after the Windoze 11 announcement fiasco.

.

Question:

In the business setting if the setting is disabled using a Group Policy, will the individual user be able to turn it back on if they need to?

@ron S. Group Policy overrides individual user settings. See Security Policy Advisor for more info.

I recently found out that in one Excel file of mine after a crash, re-build as xlsb and save again as xlsm file, my macros were "detached" from my form buttons in my worksheet. The macros themselves were running fine, but in no way could I create a macro and attach it to a form button. Even adding a new button and connecting it to a basic "helloworld" macro fails with the error message "The macro may not be available in this workbook or all macros may be disabled".

I've posted it a bit more extensive here: https://www.reddit.com/r/vba/comments/r1abrx/macro_detaching_from_form_button/

Through a SO post (https://stackoverflow.com/questions/69890212/running-excel-macro-using-button-not-working ) I found this macro 4.0 setting. On switching it on and re-opening the file the buttons worked as before. However: I assume that is not what that security feature is meant for - AFAIK the buttons & VBA macros I'm using are not 4.0? @Auston 

@Auston I have a similar issue to @Koen_Rijnsent after this update. 

If the box is unchecked, VBA-based macros (i.e. non-4.0) cannot be called via a button or shape any longer. 

They will throw an error "Cannot run the macro XXXX. The macro may not be available in this workbook or all macros may be disabled".

I think this is fine and nice that a security hole is plugged.  But I have case that seems to be a bug.

I do not have any macros which one might interpret as Excel 4.  What I do have are macros which are assigned to common shapes.  For example, in my workbook I have shapes where I have assigned macros.  The user clicks on the shape and runs the macro.  With this latest change, unless I check enable Excel 4 macros, clicking the shape results in an error message that the macro is not available. 

I find this unacceptable and can only conclude that this a bug.

Steve

Gods I am sick of this. I saw something in my newsfeed this morning saying "Macro settings update to disable Excel 4.0 macros by default." Apparently the "announcement" was back in October of last year. On some random guy's twitter thread I can see a screenshot of.... I don't know what with a Microsoft logo and a reference MC289724 announcing this. I see other references to "an e-mail from Microsoft".

Really. TO WHO?

Regardless of whether I search in Google or Bing, THIS, a random blog apparently from a Microsoft employee, is the closest I can come to finding ANYTHING that is an official announcement by Microsoft to E-V-E-R-Y-B-O-D-Y. There was a time, back in the days of the knowledgebase, when announcements were made so that ALL users could see what was happening in Microsoft products. NOW, there seems to be just some leakage of facts to select bloggers who then go on to tweet about it with NOTHING that can be traced back to an official Microsoft announcement in a place where ALL users can find it and track what is happening in the products that they use. You go to "What's New" in Excel and are told about XLookup which is over 2 years old. That's it, that's all that's "new" in Excel if you believe the "what's new" button. The option described in this blog post? That's not "new", apparently. The disabling of Excel 4 macros by default? Not "new". Microsoft mushrooms its users and tells them NOTHING about what is changing in the products that they use on a daily basis.

@raisingarizona @Koen_Rijnsent @cpala01 There was a bug where shapes linked to VBA macros would not work if Excel 4.0 (XLM) macros were disabled. That bug has been fixed, and a fix was released. If you update Office the issue should be resolved.

Do you know why Excel 97 to 2003 were not able to disable Excel 4.0 (XLM) macros?

Is this policy not taking effect for anyone? We've tried setting through group policy as well as setting the registry key (xl4macrooff) and user is still able to launch XL4 macros.

@kablooie there are 2 new settings here:

1. XL4MacroWarningFollowVBA which determines if Excel 4.0 macros are enabled when VBA is enabled. This is the setting whose default state was changed so Excel 4.0 macros are disabled by default.
2. XL4MacroOff which disables Excel 4.0 macros in all workbooks: even new workbooks, trusted documents, and workbooks in trusted locations.

If you configure the XL4MacroOff via registry or group policy, you need to fully close Excel and reopen Excel for the change to take effect. If this isn't working for you, please send me a private message and we can work through this.

@MiFatina I agree this was fixed, but a subsequent update has reintroduced the issue in a slightly different form. 

I have no XL 4.0 Macros (I have regular macros bound to shapes). 

When opening this file I now see a new error and the macros are blocked once again:

If I enable Excel 4.0 Macros (which I do not want to do), the error goes away and the macros work again. Again, I have no Excel 4.0 macros in this workbook so I can't understand why this fixes it. 

In the original article as it is today, it gives the reg key path but doesn't provide the actual keys:

• Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\excel\security

What are the key(s) to use to override the new default setting for M365 having Excel 4 macros turned off by default?  I have found in documentation the key xl4macrooff but the documentation sources I have found so far (admx.help and gpsearch) indicate that 0 or NOT configuring this means that macros are enabled.           

My "family" version of 365 [MS Excel for MS 365 MSO v. 2204 build 16.0.15128.20128 32-bit] has the extra checkbox in Trust Center for 'enable excel 4 macros...' so I can enable it for myself that way. And there is no excel key at all for me in HKCU\SOFTWARE\Policies\Microsoft\Office\16.0

My cohort's M365 for business lacks this checkbox - how would we enable it for him only ? [manufacturer still employing a legacy catalog system!]
ACTUALLY, his install shows Home&Business 2016: MS Excel 2016 MSO  (same version number and bitness as mine)

Parts of the worksheet function when macros are enabled (in reply to the popup warning or in Trust Center) , but a set of buttons that activate the showing of added lookup data are disabled / can't be clicked on his system. It works fully on mine with that extra checkbox ticked.

@cpala01 the yellow bar you're getting means there are Excel 4.0 macros somewhere in your document. When you disable Excel 4.0 macros, they will remain disabled in trusted documents. (they will only be enabled in documents that are in a trusted location)

It's possible that your workbook references Excel 4.0 macros in a shape macro, or in a defined name - and know that defined names can be hidden.

@OttIT thanks for sharing the incomplete registry path. The value's name is XL4MacroWarningFollowVBA, it is a DWORD value. 0 corresponds to the checkbox being unchecked, while 1 corresponds to the checkbox being checked. We'll update this article in the upcoming days.

As for individuals running Office Home & Business 2016, this new security setting was introduced after Office 2016 was released; it is not available for Office 2016 customers. It is available in Office LTSC 2021 and in M365 subscriptions.

@MiFatina I really appreciate your reply. I actually wrote this sheet myself and I can assure you there are zero Excel 4.0 macros in it. Just regular macros assigned to shapes like previously. 

@cpala01 can you send me a private message with your workbook? I'll take a look to see where Excel thinks it's seeing an Excel 4.0 macro.

@MiFatina I will make a simplified version and send it to you.

@MiFatina Turns out you were correct - I had a GET reference in there which I removed. My apologies!

@cpala01 no worries - glad you found the root cause!

@MiFatina   Is there another spot the key could appear? Whether I tick that checkbox or not, there is no key for excel at all in HKCU\SOFTWARE\Policies\Microsoft\Office\16.0

i.e.  no HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\excel 

this new security setting was introduced after Office 2016 ... not available for Office 2016

By that, do you mean Excel 2016 is not subject to global setting of having that XL 4 style macros disabled by default and no option to disable it manually [so they are ON like previously] ? or do you mean Excel 2016 lacks any toggle setting switch or other method of setting those macros on or off, yet is still subject to the global disablement [so they are OFF and need to upgrade for ability to  re-enable].

@OttIT check HKCU\Software\Microsoft\Office\16.0\excel\security. Group policies get stored under HKCU\Software\Policies\Microsoft\Office\... while user settings (controlled in the UI) are stored in HKCU\Software\Microsoft\Office\... the Policies node overrides the user settings.

The new settings for Excel 4.0 macros were not added to Excel 2016; customers using Excel 2016 do not have any Excel 4.0 macro specific setting. For these older versions of Excel, if VBA macros are enabled, Excel 4.0 macros are enabled. If users wish to disable Excel 4.0 macros globally, they must also disable VBA macros globally following these instructions (more details here).