M365 Changelog: (Updated) Excel is blocking untrusted XLL add-ins by default
MC524212 – Updated March 22, 2023: The Administrative Template files for Microsoft 365 Apps for enterprise has been updated to include a policy to control blocking Excel XLL Add-ins from untrusted locations.
The policy is located under Administrative Templates > Microsoft Excel 2016 > Excel Options > Security > Trust Center > Block Excel XLL Add-ins that come from an untrusted source.
The new Administrative Template files and details are available at Microsoft Download Center.
Microsoft is introducing a default change for Excel Windows desktop apps that run XLL add-ins: XLL add-ins from untrusted locations will now be blocked by default.
For XLL add-ins in files from untrusted locations, you will no longer be able to enable content with a click of a button. A message will appear notifying you of the risk and a link to get more information about possible workarounds and support. This change will help you stay more secure by blocking popular attack techniques.
This message is associated with Microsoft 365 Roadmap ID 115485
When this will happen:
Preview: Microsoft has already completed rolling out to Insiders preview.
Standard Release: Microsoft will begin rolling out early March and expect to complete by late March.
How this will affect your organization:
Users in your organization will not be able to open Excel XLL add-ins from untrusted locations. Steps to make locations a trusted location is provided in our support article.
What you need to do to prepare:
If your organization uses any Excel XLL add-ins, follow the steps provided in our support article to ensure those add-ins are coming from a trusted location.