Key Takeaways:
Microsoft is set to disable ActiveX controls by default in its upcoming Office 2024 suite that will launch in October. This new security measure will affect popular Office desktop apps such as Microsoft Word, PowerPoint, Excel, and Visio.
Microsoft introduced ActiveX in 1996, allowing developers to embed interactive controls in web pages and applications. In Office, ActiveX controls added interactive features like buttons and list boxes to documents. While modern browsers no longer support ActiveX, it can still be used in the Internet Explorer mode of Microsoft Edge.
“Starting in new Office 2024, the default configuration setting for ActiveX objects will change from Prompt me before enabling all controls with minimal restrictions to Disable all controls without notification,” the company explained on the Microsoft 365 admin center. “Users will no longer be able to create or interact with ActiveX objects in Office documents when this change is implemented.”
Microsoft explains that while some existing ActiveX objects will still appear as static images in Office documents, users will no longer be able to interact with them. Microsoft says that the apps will display the following message in the non-commercial versions of Microsoft Office: “The new default setting is equivalent to the existing DisableAllActiveX group policy setting”
To re-enable these ActiveX controls, Office users will need to revert to the previous default configuration by adjusting specific settings in the Trust Center, the registry, or group policy.
ActiveX controls have been well-known for their role in spreading malware within enterprise environments. Cybercriminals have exploited these controls to run malicious code and steal sensitive information from users’ computers. Microsoft believes that disabling ActiveX controls by default will enhance security and better protect both enterprise customers and consumers from such threats.
Microsoft says that this new default behavior will first roll out to customers in Office 2024. This change will also gradually make its way to the Microsoft 365 apps starting in April 2025.
The move to ActiveX controls by default is part of Microsoft’s ongoing efforts to strengthen security across its products and services. In 2022, Microsoft began blocking Visual Basic for Applications (VBA) macros by default in Office apps, and it has also disabled untrusted XLL add-ins by default in Excel.