Office 2024 to Block ActiveX Controls by Default to Protect Users from Malware

Published: Sep 09, 2024

Hero approved Microsoft 365

SHARE ARTICLE

Key Takeaways:

  • Microsoft plans to disable ActiveX controls by default in Office 2024.
  • Users will no longer be able to create or interact with ActiveX objects.
  • This change is part of Microsoft’s broader efforts to enhance security and protect against malware and cyber threats.

Microsoft is set to disable ActiveX controls by default in its upcoming Office 2024 suite that will launch in October. This new security measure will affect popular Office desktop apps such as Microsoft Word, PowerPoint, Excel, and Visio.

Microsoft introduced ActiveX in 1996, allowing developers to embed interactive controls in web pages and applications. In Office, ActiveX controls added interactive features like buttons and list boxes to documents. While modern browsers no longer support ActiveX, it can still be used in the Internet Explorer mode of Microsoft Edge.

“Starting in new Office 2024, the default configuration setting for ActiveX objects will change from Prompt me before enabling all controls with minimal restrictions to Disable all controls without notification,” the company explained on the Microsoft 365 admin center. “Users will no longer be able to create or interact with ActiveX objects in Office documents when this change is implemented.”

Office 2024 to Block ActiveX Controls by Default to Protect Users from Malware
ActiveX Controls in Microsoft Excel (Image Credit: Microsoft)

Microsoft explains that while some existing ActiveX objects will still appear as static images in Office documents, users will no longer be able to interact with them. Microsoft says that the apps will display the following message in the non-commercial versions of Microsoft Office: “The new default setting is equivalent to the existing DisableAllActiveX group policy setting”

How to re-enable ActiveX controls in Office 2024

To re-enable these ActiveX controls, Office users will need to revert to the previous default configuration by adjusting specific settings in the Trust Center, the registry, or group policy.

  • Navigate to the Trust Center Settings dialog and click the “Prompt me before enabling all controls with minimal restrictions” option available under ActiveX Settings.
  • In the Windows registry, set HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\DisableAllActiveX to 0 (REG_DWORD).
  • Configure the ‘Disable All ActiveX‘ group policy setting to 0.

What are the risks?

ActiveX controls have been well-known for their role in spreading malware within enterprise environments. Cybercriminals have exploited these controls to run malicious code and steal sensitive information from users’ computers. Microsoft believes that disabling ActiveX controls by default will enhance security and better protect both enterprise customers and consumers from such threats.

Microsoft says that this new default behavior will first roll out to customers in Office 2024. This change will also gradually make its way to the Microsoft 365 apps starting in April 2025.

The move to ActiveX controls by default is part of Microsoft’s ongoing efforts to strengthen security across its products and services. In 2022, Microsoft began blocking Visual Basic for Applications (VBA) macros by default in Office apps, and it has also disabled untrusted XLL add-ins by default in Excel.

SHARE ARTICLE