Tag: Office

Disabling Office Macros via ASR to Meet Essential Eight Requirements

Using M365 Business Premium

The Essential Eight Mitigation Strategy #3 – Configure Microsoft Office Macro Settings requires organizations to disable Office macros by default for users without a demonstrated business need.1In cloud-only environments using Microsoft 365 Business Premium and Microsoft Intune, this can be achieved through multiple complementary approaches: 

  1. Configuration Profiles (Settings Catalog or Imported Administrative Templates) 
  1. Attack Surface Reduction (ASR) Rules 
  1. Microsoft Defender for Endpoint capabilities (included in Business Premium) 

However, there is an important limitation: Microsoft 365 Business Premium includes Microsoft 365 Apps for Business, which has limited support for the Office Cloud Policy Service—only privacy-related policies are supported.2For full macro control policies, you must use Configuration Profiles in Intune instead.3 

Understanding Essential Eight Macro Security Requirements 

Essential Eight Maturity Level Requirements 

The Australian Cyber Security Centre (ACSC) Essential Eight framework defines specific controls for Microsoft Office macro security:4 

Key ISM Controls (March 2025) 

The Essential Eight implementation addresses multiple Information Security Manual (ISM) controls:5 

ISM Control Requirement Implementation Method 
ISM-1671 Macros disabled for users without business requirement Configure “Disable VBA for Office applications” policy 
ISM-1488 Block macros from internet sources Enable “Block macros from running in Office files from the internet” 
ISM-1675 Disable Trust Bar for unsigned macros Configure “Disable Trust Bar Notification for unsigned applications” 
ISM-1672 Enable macro antivirus scanning Set “Macro Runtime Scan Scope” to “Enable for all documents” 
ISM-1673 Block Win32 API calls from macros Deploy ASR rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B 
ISM-1489 Prevent users from changing macro settings Deploy policies via Intune (users cannot modify) 

Microsoft 365 Business Premium Capabilities for Macro Control 

What’s Included in Business Premium 

Microsoft 365 Business Premium includes: 

  • Microsoft Intune for device management 
  • Microsoft Defender for Business (includes Attack Surface Reduction) 
  • Microsoft 365 Apps for Business (desktop applications) 

Important Licensing Limitations 

⚠️ Critical Consideration: The Office Cloud Policy Service (config.office.com) has limited functionality with Microsoft 365 Apps for Business: 

  • Only privacy control policies are supported6 
  • Full macro security policies are NOT supported via Office Cloud Policy Service for Business licenses7 
  • You must use Intune Configuration Profiles (Settings Catalog or Administrative Templates) instead 

For full Office Cloud Policy Service support, you would need Microsoft 365 Apps for Enterprise licenses.8 

Implementation Approach: Configuration Profiles in Intune 

Method 1: Import Pre-Built ACSC Hardening Policy (Recommended) 

Microsoft provides pre-built configuration profiles aligned with ACSC guidance. This is the fastest and most reliable method for Essential Eight compliance. 

Step-by-Step: Import ACSC Office Hardening Policy 

Detailed Steps:9 

  1. Create Target User Group 
  • Create an Azure AD security group for “All Office Users” 
  • This group will receive Office apps and hardening policies 
  1. Download ACSC Policy Template 
  • Download the ACSC Office Hardening Guidelines JSON file10 
  1. Import to Intune 
  • Sign in to Microsoft Intune admin center: https://intune.microsoft.com[^1] 
  • Navigate to: Devices > Windows > Configuration profiles > Create 
  • Select: Import Policy 
  • Name: “ACSC Office Hardening – All Macros Disabled” 
  • Browse for the downloaded JSON file 
  • Click Save11 
  1. Import OLE Prevention Script 
  • Navigate to: Devices > Scripts > Add > Windows 10 and later 
  • Name: “OLE Package Prevention” 
  • Configure: 
  • Run script using logged-on credentials: Yes 
  • Enforce script signature check: No 
  • Run in 64-bit PowerShell: No12 
  • Assign to: All Office Users group13 
  1. Assign the Policy 
  • In the imported policy, go to Assignments 
  • Included groups: Select “All Office Users” 
  • Review + Save 

Method 2: Manual Configuration Using Settings Catalog 

If you prefer granular control, you can manually configure macro policies using Intune’s Settings Catalog. 

Step-by-Step: Create Custom Macro Blocking Policy 

  1. Create New Settings Catalog Policy 
  • Navigate to: Microsoft Intune admin center (intune.microsoft.com) 
  • Go to: Devices > Configuration policies > Create > New Policy 
  • Platform: Windows 10 and later 
  • Profile type: Settings catalog 
  • Name: “Office Macro Security – Disable All Macros” 
  1. Configure Settings for Each Office Application 

The following settings must be configured for each Office application (Word, Excel, PowerPoint, Access, Outlook):14 15 

Microsoft Office 2016 (Global Settings) 

Setting Path Configuration 
Microsoft Office 2016 > Security Settings  
Automation Security Enabled 
– Set Automation Security level Disable macros by default 
Disable VBA for Office applications Enabled 
Security Settings > Trust Center  
Allow mix of policy and user locations Disabled 

Microsoft Excel 2016 

Setting Path Configuration 
Excel Options > Security > Trust Center  
VBA Macro Notification Settings Enabled 
– VBA Macro Notification Disable all without notification 
Block macros from running in Office files from the Internet Enabled 
Trust access to Visual Basic Project Disabled 
Turn off trusted documents Enabled 
Turn off Trusted Documents on the network Enabled 
Excel Options > Security > Trust Center > Trusted Locations  
Allow Trusted Locations on the network Disabled 
Disable all trusted locations Enabled 

Microsoft Word 2016 

Setting Path Configuration 
Word Options > Security > Trust Center  
VBA Macro Notification Settings Enabled 
– VBA Macro Notification Disable all without notification 
Block macros from running in Office files from the Internet Enabled 
Trust access to Visual Basic Project Disabled 
Turn off trusted documents Enabled 
Turn off Trusted Documents on the network Enabled 
Word Options > Security > Trust Center > Trusted Locations  
Allow Trusted Locations on the network Disabled 
Disable all trusted locations Enabled 

Microsoft PowerPoint 2016 

Setting Path Configuration 
PowerPoint Options > Security > Trust Center  
VBA Macro Notification Settings Enabled 
– VBA Macro Notification Disable all without notification 
Block macros from running in Office files from the Internet Enabled 
Trust access to Visual Basic Project Disabled 
Turn off trusted documents Enabled 
Turn off Trusted Documents on the network Enabled 
PowerPoint Options > Security > Trust Center > Trusted Locations  
Allow Trusted Locations on the network Disabled 
Disable all trusted locations Enabled 

Microsoft Access 2016 

Setting Path Configuration 
Application Settings > Security > Trust Center  
VBA Macro Notification Settings Enabled 
– VBA Macro Notification Disable all without notification 
Block macros from running in Office files from the Internet Enabled 
Turn off trusted documents Enabled 
Turn off Trusted Documents on the network Enabled 
Application Settings > Security > Trust Center > Trusted Locations  
Allow Trusted Locations on the network Disabled 
Disable all trusted locations Enabled 

Microsoft Outlook 2016 

Setting Path Configuration 
Security > Trust Center  
Apply macro security settings to macros, add-ins and additional actions Enabled 
Security settings for macros Enabled 
– Security Level Never warn, disable all 
  1. Assign the Policy 
  • Assignments: Select your target user or device groups 
  • Review + Create 

Attack Surface Reduction (ASR) Rules for Essential Eight Compliance 

Can ASR Rules Meet Essential Eight Requirements? 

Yes, partially. Windows Attack Surface Reduction rules provide critical additional protections that complement macro blocking policies and help meet Essential Eight requirements.16 17 

ASR rules are included with Microsoft 365 Business Premium via Microsoft Defender for Business and can be deployed through Intune.18 

Essential Eight-Relevant ASR Rules 

The following ASR rules directly support Essential Eight mitigation strategies:19 20 

ASR Rules for Office Macro Security 

ASR Rule Name GUID Essential Eight Alignment ISM Control 
Block Win32 API calls from Office macros 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b ✅ Required – Prevents macros from making dangerous system calls ISM-1673 
Block Office applications from creating child processes d4f940ab-401b-4efc-aadc-ad5f3c50688a ✅ Recommended – Prevents macro-launched executables User App Hardening 
Block Office applications from creating executable content 3b576869-a4ec-4529-8536-b80a7769e899 ✅ Recommended – Prevents macros from creating .exe files User App Hardening 
Block Office applications from injecting code into other processes 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 ✅ Recommended – Prevents code injection attacks User App Hardening 
Block Office communication applications from creating child processes 26190899-1602-49e8-8b27-eb1d0a1ce869 ✅ Recommended – Protects Outlook from exploitation User App Hardening 

Step-by-Step: Deploy ASR Rules via Intune 

Detailed Implementation Steps:21 

  1. Navigate to ASR Policy Creation 
  • Go to: Endpoint security > Attack surface reduction 
  • Click: Create Policy22 
  1. Configure Policy Basics 
  • Platform: Windows 10, Windows 11, and Windows Server 
  • Profile: Attack Surface Reduction Rules 
  • Name: “Essential Eight – Office ASR Rules” 
  • Description: “ASR rules aligned with ACSC Essential Eight requirements” 
  1. Configure ASR Rules 

For each of the Essential Eight-relevant rules, configure the mode:23 

ASR Rule Initial Mode Production Mode 
Block Win32 API calls from Office macros Audit Block (Required for ISM-1673) 
Block Office applications from creating child processes Audit Block 
Block Office applications from creating executable content Audit Block 
Block Office applications from injecting code into other processes Audit Block 
Block Office communication applications from creating child processes Audit Block 

Mode Definitions: 

  • Not Configured (0): Rule is disabled 
  • Block (1): Rule is enforced 
  • Audit (2): Rule logs events but doesn’t block 
  • Warn (6): User receives warning but can bypass24 
  1. Assign the Policy 
  • Assignments
  • Included groups: “All Windows Devices” or specific pilot groups 
  • Excluded groups: Any test or exception groups 
  • Click Next and Create 
  1. Testing and Deployment Strategy 

⚠️ Important: ASR rules should be thoroughly tested before full enforcement:25 

  • Week 1-2: Deploy all rules in Audit mode 
  • Week 3-4: Review Microsoft Defender for Endpoint logs for blocked activity 
  • Week 5+: Switch rules to Block mode for full enforcement 
  • Monitor for false positives and create exclusions as needed 

Alternative: Manual ASR Deployment via Graph API 

For advanced deployments, you can use Microsoft Graph API to deploy ASR policies programmatically:26 

Step-by-Step: 

  1. Navigate to Graph Explorer 
  • Sign in with administrator credentials 
  • Grant necessary permissions 
  1. Create POST Request 
  • Method: POST 
  • Schema: Beta 
  1. Use ACSC Windows Hardening JSON 
  • Copy the JSON content and paste into the request body 
  • Modify the policy name if needed 
  • Execute the POST request 
  1. Assign Policy 
  • Use Graph API or Intune portal to assign the created policy to your device groups 

Monitoring and Validation 

Verifying Policy Application 

After deploying policies, verify they’re working correctly: 

  1. Check Policy Status in Intune 
  • Navigate to: Devices > Monitor > Device configuration 
  • Review deployment status for your macro policies 
  • Check for any errors or conflicts28 
  1. Test on End-User Device 
  • Have a test user attempt to open a macro-enabled Office file 
  • Verify that macros are blocked and no prompt appears 
  • Check that Trust Center settings are grayed out (not user-modifiable) 
  1. Review Microsoft Defender for Endpoint 

If you have Defender for Endpoint (included in Business Premium), monitor for macro-related events:29 

  • Endpoint behavioral sensors collect macro execution attempts 
  • Cloud security analytics translate signals into insights 
  • Threat intelligence identifies attacker techniques 
  • Review alerts in the Microsoft 365 Defender portal (security.microsoft.com) 
  1. Validate ASR Rule Effectiveness 
  • Navigate to: Microsoft 365 Defender portal > Reports > Attack surface reduction rules 
  • Review triggered events for each ASR rule 
  • Identify false positives and create exclusions if needed 

Exception Management: Allowing Trusted Macros 

Some users may have legitimate business requirements for macros. The Essential Eight framework accommodates this through Trusted Publishers or Trusted Locations.30 

Option 1: Trusted Publishers (Recommended) 

Trusted Publishers use digital signatures to verify macro authenticity. This is the preferred method for Essential Eight compliance.31 

Step-by-Step: Enable Trusted Publishers 

  1. Create Exception Group 
  • Create Azure AD group: “Office Macro Users – Trusted Publishers” 
  • Add users with legitimate macro needs32 
  1. Download Trusted Publisher Policy 
  1. Import to Intune 
  • Navigate to: Devices > Configuration profiles > Import Policy 
  • Browse for downloaded JSON file 
  • Name: “ACSC Office – Trusted Publishers Enabled” 
  • Assign to: “Office Macro Users – Trusted Publishers” group33 
  1. Exclude from Macro Blocking Policy 
  • Edit your “All Macros Disabled” policy 
  • Go to Assignments 
  • Excluded groups: Add “Office Macro Users – Trusted Publishers”34 
  1. Deploy Trusted Publisher Certificates 

For each approved macro publisher:35 

  • Navigate to: Devices > Configuration profiles > Create 
  • Profile type: Trusted certificate 
  • Upload the publisher’s code-signing certificate 
  • Assign to: “Office Macro Users – Trusted Publishers” group 

Certificate Requirements:36 

  • Must use V3 signature scheme (more secure) 
  • Certificate must be from a trusted Certificate Authority 
  • Each publisher should have a separate policy for easier management 
  1. Macro Vetting Process 

Before signing any macros:37 

  • Execute macros on an isolated test device with ACSC hardening applied 
  • Verify no malicious behavior 
  • Use Microsoft Defender Antivirus scanning (automatic with ACSC policies) 
  • Consider third-party macro scanning tools for additional validation 

Comprehensive Policy Summary Table 

Configuration Profile Settings 

Policy Category Setting Configuration Purpose 
VBA Macro Execution Disable VBA for Office applications Enabled Disables VBA engine globally38 
 VBA Macro Notification Settings Disable all without notification Blocks all macros silently39 
Internet Macros Block macros from Internet sources Enabled Prevents macros from untrusted sources40 
Automation Security Automation Security Level Disable macros by default Prevents COM automation attacks41 
Trust Center Turn off trusted documents Enabled Prevents trust bypass via document trust42 
 Turn off Trusted Documents on network Enabled Prevents network trust bypass43 
 Disable all trusted locations Enabled Blocks trusted location bypass44 
 Allow mix of policy and user locations Disabled Prevents user-defined trust45 
 Trust access to VBA Project Disabled Blocks programmatic VBA access46 
Macro Scanning Macro Runtime Scan Scope Enable for all documents Enables Defender AV scanning47 

Attack Surface Reduction Rules 

ASR Rule GUID Mode Purpose 
Block Win32 API calls from Office macros 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Block Prevents dangerous API calls (ISM-1673)48 
Block Office apps creating child processes d4f940ab-401b-4efc-aadc-ad5f3c50688a Block Prevents macro-launched executables49 
Block Office apps creating executable content 3b576869-a4ec-4529-8536-b80a7769e899 Block Prevents .exe creation50 
Block Office apps injecting code 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Block Prevents process injection51 
Block Outlook creating child processes 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Protects email client52 

Key Limitations and Considerations 

Microsoft 365 Business Premium Constraints 

Testing Recommendations 

  1. Pilot Deployment: Test policies with a small group before organization-wide rollout53 
  1. Audit Mode First: Deploy ASR rules in Audit mode for 2-4 weeks before enforcement54 
  1. User Communication: Notify users about macro blocking to reduce helpdesk calls 
  1. Exception Process: Establish clear process for macro exception requests 
  1. Regular Review: Validate Trusted Publisher certificates annually55 

Complete Implementation Checklist 

  • Phase 1: Preparation 
  • Create Azure AD security groups (“All Office Users”, “Macro Exception Users”) 
  • Document current macro usage across organization 
  • Establish exception approval process 
  • Communicate changes to end users 
  • Phase 2: Baseline Policy Deployment 
  • Download ACSC Office Hardening policy from GitHub 
  • Import policy to Intune Configuration Profiles 
  • Download and import OLE prevention PowerShell script 
  • Assign policies to pilot group 
  • Test policy application on pilot devices 
  • Phase 3: ASR Rule Deployment 
  • Create ASR policy in Endpoint Security 
  • Configure 5 Office-related ASR rules in Audit mode 
  • Assign to pilot group 
  • Monitor events in Microsoft 365 Defender for 2-4 weeks 
  • Phase 4: Production Rollout 
  • Review audit logs for false positives 
  • Create ASR exclusions if needed 
  • Switch ASR rules to Block mode 
  • Expand deployment to all users 
  • Configure Trusted Publisher policies for exception users 
  • Phase 5: Ongoing Management 
  • Monitor Defender for Endpoint alerts 
  • Review exception requests quarterly 
  • Validate Trusted Publisher certificates annually 
  • Update policies as new ISM controls are released 

Conclusion 

Meeting the Essential Eight requirements for disabling Office macros in a cloud-only environment with Microsoft 365 Business Premium is achievable through: 

  1. Intune Configuration Profiles: Disable macros at the Office application level using Settings Catalog or imported administrative templates 
  1. Attack Surface Reduction Rules: Deploy complementary ASR rules to block macro-related attack behaviors 
  1. Exception Management: Use Trusted Publishers for users with legitimate macro needs 
  1. Continuous Monitoring: Leverage Microsoft Defender for Endpoint for visibility and alerting 

While Office Cloud Policy Service has limitations with Business Premium, Intune Configuration Profiles provide full macro control capabilities needed for Essential Eight compliance. ASR rules successfully accommodate Essential Eight requirements by providing the necessary technical controls, particularly ISM-1673 (blocking Win32 API calls from macros). 

The combination of these approaches provides defense-in-depth aligned with ACSC guidance and enables organizations to achieve Essential Eight Maturity Level 3 for macro security. 

References 

Microsoft Official Documentation 

Microsoft Learn – Essential Eight Guidance 

  • Essential Eight configure Microsoft Office macro settings 
  • Site: Microsoft Learn 

Microsoft Learn – Essential Eight User Application Hardening 

  • Essential Eight user application hardening 
  • Site: Microsoft Learn 

Microsoft Learn – Intune Office Policies 

  • Policies for Microsoft 365 Apps – Microsoft Intune 
  • Site: Microsoft Learn 

Microsoft Learn – Office Cloud Policy Service Overview 

  • Overview of Cloud Policy service for Microsoft 365 
  • Site: Microsoft Learn 

Microsoft Learn – Attack Surface Reduction Rules Reference 

  • Attack surface reduction rules reference – Microsoft Defender for Endpoint 
  • Site: Microsoft Learn 

Microsoft Learn – Manage ASR with Intune 

  • Manage attack surface reduction settings with Microsoft Intune 
  • Site: Microsoft Learn 

Microsoft Intune Admin Center 

  • Microsoft Intune admin center 
  • Site: Microsoft Intune 

Australian Cyber Security Centre (ACSC) Guidance 

Cyber.gov.au – Restricting Microsoft Office Macros 

  • Restricting Microsoft Office macros 
  • Site: Australian Cyber Security Centre (ACSC) 

Cyber.gov.au – Guidelines for System Hardening 

  • Guidelines for System Hardening 
  • Site: Australian Cyber Security Centre (ACSC) 

Cyber.gov.au – Hardening Microsoft 365 and Office 

  • Hardening Microsoft 365, Office 2021, Office 2019, and Office 2016 
  • Site: Australian Cyber Security Centre (ACSC) 

Cyber.gov.au – Microsoft Office Macro Security 

  • Microsoft Office Macro Security 
  • Site: Australian Cyber Security Centre (ACSC) 

Cyber.gov.au – Essential Eight Assessment Process Guide 

  • Essential Eight assessment process guide 
  • Site: Australian Cyber Security Centre (ACSC) 

Cyber.gov.au – Technical Example: Configure Macro Settings 

  • Technical example: Configure macro settings 
  • Site: Australian Cyber Security Centre (ACSC) 

ASD Blueprint for Secure Cloud 

ASD Blueprint – Office Hardening All Macros Disabled 

  • ASD Office hardening – all macros disabled 
  • Site: ASD’s Blueprint for Secure Cloud 

ASD Blueprint – Microsoft Office Macro Hardening Design 

  • Microsoft Office macro hardening 
  • Site: ASD’s Blueprint for Secure Cloud 

ASD Blueprint – Restrict Microsoft Office Macros 

  • Restrict Microsoft Office macros 
  • Site: ASD’s Blueprint for Secure Cloud 

GitHub Repositories and Templates 

Microsoft GitHub – ACSC Office Hardening Guidelines 

  • ACSC Office Hardening Guidelines (JSON) 
  • Site: GitHub – Microsoft 

Microsoft GitHub – OLE Prevention PowerShell Script 

  • OfficeMacroHardening-PreventActivationofOLE.ps1 
  • Site: GitHub – Microsoft 

Microsoft GitHub – ACSC Windows Hardening ASR Policy 

  • ACSC Windows Hardening Guidelines – Attack Surface Reduction policy (JSON) 
  • Site: GitHub – Microsoft 

GitHub – ACSC Essential 8 Office Hardening Module 

  • benjamin-robertson/acsc_e8_office_hardening 
  • Site: GitHub – Community 

Community and Technical Resources 

Reddit – Office 365 Community Discussion 

  • 365 Business Premium – GPO or config.office.com 
  • Site: Reddit – r/Office365 

Practical365 – Office Cloud Policy Service 

  • Block Macro Execution with Office Cloud Policy Service (OCPS) 
  • Site: Practical365 

Mr T-Bone’s Blog – Intune Office Policies 

  • How to use policies for Office apps in Intune 
  • Site: Mr T-Bone´s Blog 

Helge Klein – Blocking Office Macros 

  • Blocking Office Macros, Managing Windows & macOS via Intune 
  • Site: Helge Klein 

T-Minus365 – Deploy ASR Rules 

  • Deploy Attack Surface Reduction Rules from Microsoft Intune 
  • Site: T-Minus365 

Azure with Tom – Implementing ASR Policies 

  • Implementing Attack Surface Reduction Policies 
  • Site: Azure with Tom 

Additional Resources 

Microsoft Graph API – Graph Explorer 

  • Graph Explorer for API Testing 
  • Site: Microsoft Developer 

Microsoft 365 Defender Portal 

  • Microsoft 365 Defender Security Portal 
  • Site: Microsoft 365 Defender 

CISA – Disable VBA Macros Guidance 

  • Disable Visual Basic for Applications (VBA) Macros (CM0056) 
  • Site: Cybersecurity and Infrastructure Security Agency (CISA) 

Office desktop apps include Windows Explorer

A major stumbling block for many during the transformation process from on premises to Microsoft 365 is the desire for Windows Explorer. It is understandable that people want to maintain the status quo and their current work processes, however want many don’t appreciate is that Windows Explorer like capability is built right into Microsoft Office desktop applications.

image

If we take a look a Word as an example, and then select Open from the menu on the left, we find an array of documents displayed that were recently opened as shown above. You’ll also notice that you can view recently accessed Folders from this same interface as well. There is even a Search option at the top of the page to help you locate items in this list.

image

You’ll see there is also the ability to ‘pin’ an item (file or folder) so that it will always appear as shown above.

image

A little further down you will find the cloud storage locations you are connected to as shown above, which are typically associated with your Microsoft 365 environment. If I select SharePoint here, I will then see a list of my SharePoint sites on the right.

image

If I then drill into a site, I will see all the Document Libraries it contains. If then drill into a Document Library I will see all the files and folders within, just like you do when using Windows Explorer.

image

If I right click on something like a folder, you see from the above, that I again have the ability to Pin to Recent list. This makes it easy to navigate back to that location later. It is always a good idea to do this for those locations you need to get to regularly. 

I can move up and down the list of items as I could using Windows Explorer. This therefore, should be the familiarity that many are looking for when navigating file structures.

The file displays inside this application navigation are limited to files that can be opened or view by that application. For Word this would be things like DOC, DOCX, PDF, Text files and so on.

It would be nice if Microsoft (or anyone else) took this built-in Office desktop navigation and created a stand alone desktop application that could navigate all files at once. This would then be a direct replacement for the traditional version of Windows Explorer but for locations in Microsoft 365. How handy would that be?

As yet, I have not found an application that does this but hopefully some smart developer will look ate creating something as I reckon it would be a real winner. So, for the time being, remember that you do have a simplified version of the old familiar Windows Explorer built into Office desktop application that you can use to enhance your daily workflow with the common file types you work with in Microsoft 365.

CIAOPS Need to Know Microsoft 365 Webinar – January

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar and the first for 2022. Along with all the Microsoft Cloud news we’ll be taking a look at using OneNote for collaboration.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

January Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2201 – into your browser)

The details are:

CIAOPS Need to Know Webinar – January 2022
Friday 28th of January 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Testing for CVE-2021-40444 vulnerability

There are current concerns around:

Microsoft MSHTML Remote Code Execution Vulnerability

which is yet to have a patch made available.

I found this excellent article:

CLICK ME IF YOU CAN, OFFICE SOCIAL ENGINEERING WITH EMBEDDED OBJECTS

which provide some PowerShell scripts to create Word documents that can be used to test for the vulnerability.

I have run these scripts to create the actual Word documents and uploaded them for you here:

Office365/example at master · directorcia/Office365 (github.com)

2021-09-11_10-21-14

In both cases, when you open these documents, you should NOT be able to get CALC.EXE to execute on your system unlike what you see above and below.

test2-screen

I have also added these tests to my security testing script which you can download from my GitHub repo here:

Office365/sec-test.ps1 at master · directorcia/Office365 (github.com)

image

When I opened these documents in my production environment, the vulnerability was largely blocked thanks to Windows ASR which I have detailed previously:

Attack surface reduction for Windows 10

You can use the follow KQL query as I did above to view the result of this blocking if you are using something like Azure Sentinel like I am:

Another great security add on for Microsoft 365

KQL:

DeviceEvents
| where ActionType startswith ‘Asr’

Light or Dark mode?

One of the perennial high powered technology debates is whether Light or Dark mode is better. This ranks alongside similar torch and pitch fork ‘discussion’ events  like iOS or Android, PC or Mac and tabs or spaces. Luckily, just about everything these days, including Microsoft 365, supports a choice of modes.

image

Now I’ve dabbled with switching to dark mode over the years but recently I’ve decided to go all in for at least 30 days. This means I’ve switched EVERYTHING to dark mode. Every app, every device. Dark mode everywhere.

image

So, I’ve switched my Office apps (OneNote above), browsers (Edge and Brave) as well as Microsoft 365 and Azure into dark mode.

A few days in, I gotta admit, that it takes some getting used to. The border of desktop windows is much harder to find along with the dialog windows header. I notice far more reflection from what’s behind me when using my Surface PC, which is somewhat distracting, and the local post office had issues scanning an email QR code on my iPad until I changed it back to light mode. However, I’m sticking it out for the full 30 days to see but I’m not a convert as yet by any means.

I think that dark mode works a lot better if you are a coding type who spends hours and hours every day looking at lines of code. That is not the case for productivity workers who are regularly swapping between applications. This, in my opinion, is much harder when using dark mode.

Let’s see what the 30 day trial brings. I do appreciate the benefits but whether these are noticeable to me, only time will tell.

Setting text language in Office Online

Some people don’t wish to use the default English (U.S.) as their preferred language for Office Online when they create new documents there. Interestingly, you can change the option but it doesn’t seem to work for all languages. Here’s how to change the setting, but it has limitations.

image

In my case, my production tenant is set up in Australia. The language I use everywhere is English (Australia). You would think that this applies to any new document created using Office Online. Not so, it seems. If I create a new Word document using the web interface as shown above, I get:

image

but if you look in the lower left you see:

image

If you click on the language text you get:

image

Here I can select English (Australia) as my language. Now my document reports:

image

All good right? Sure, until you create a new document using Office Online. You are then back to original language. In my case  English (U.S.) not English (Australia)! I don’t want to be changing the language manually for every new document I create with Office Online. How do I therefore make my preferred language ‘stick’ with Office Online?

As far I can tell, to make a different language ‘stick’ for a user when they use Office Online they will need to do the following:

1. Login to the Microsoft 365 portal (https://portal.office.com) with their own credentials.

2.  Select their Account Manager icon in the top right of the portal window like so:

image

3. From the menu that appears select My Office profile like so:

image

4. Select the Update profile button the Delve page like so:

image

5. On the Update your profile page, locate and select How can I change language and region settings? as shown:

image

6. This reveal a new line that includes a hyperlink on the word “here” as shown below, which you need to select. Note the additional instructions it also gives you – click the ellipse (…) and then choose Language and Region.

image

7. As the previous instructions detailed, on the Edit Details page select the ellipse (…) like so:

image

8. From the items that are displayed, select Language and Region as previously directed:

image

9. Select the option to Show Advanced Language Settings as shown:

image

10. Select the Pick a new language for both of the selection boxes displayed like so:

image

11. It is at this point that not all options are accepted it turns out. In my case if I select English (Australia), the Office Online documents continue to open with English (U.S.). As it turns out, the best I can do in my case is set the language to English (United Kingdom) and then select the Add button like so:

image

If you want another language, you’ll probably have to try a few to see whether they ‘stick’.

12.  My end result looks like:

image

You’ll also need to either remove the existing language (as I have done, so English (U.S.) no longer appears) or change the priority of the language added, via the up/down arrows on the right of the language, and place it at the top of list to make it the default.

13. Scroll to the bottom of the page and make sure you select Save all and close to update your preferences:

image

14. Lastly, you’ll need to wait about 15 minutes or so it seems for this to take effect.

If you now open a new Office Online document, you should now see the selected language as default like so:

image

Phew, that’s a lot of work isn’t it? It may not be English (Australia) but it is now much closer to that than what it used to be. Remember, that each individual who wants their language changed for Office Online will need to complete these steps.

Next challenge, how to script it with PowerShell for bulk deployment? Not sure I want to go down that rabbit hole. We’ll see. Let me know if you’d find value in a script to make these changes across your tenant.

Microsoft 365 Automation presentation

These are the slides from my recent presentation on the automation options available in Microsoft 365.

The most important take away I believe is that we live in a world dominated by software. This fact is highlighted that:

Software is eating the world

There are plenty of reasons not to focus on software as a success path but that major reason to is simply the opportunity it provides, especially if most others believe it is all too hard.

It is important remember that software is a skill not a talent. This means it is something that can learned and improved continually over time. There is no such thing as a born developer. Some may have a higher aptitude to software development than others but that doesn’t means it isn’t something you can develop and learn.

As you ponder the worth of automation, have a look at all the simple processes you repeat continually throughout your day. Why is that? Why are these not automated? We live in a world of abundant technology. Most people carry a computer with them that is more powerful that the one that landed on the moon, yet it seems we all have less time to do the things we really enjoy. Why is that? We have allowed technology to master us, rather than using software to make it do our bidding.

The place to start with Microsoft 365 automation is on the desktop. Applications like Word, Excel, and so on contain the ability to record processes via macros and replay these quickly and easily. In fact it will actually convert these actions into code that can be further modified. Every Office application has a huge set of tools to assist with automating processes.

Although tools like SharePoint Designer have now been depreciated they are still available to use. If you are doing work with SharePoint, especially migration, it is important that you have some idea about the workflows SharePoint Designer creates and how they can be maintained.

Third party services like IFTTT and Zapier provide the ability to connect to Microsoft 365 services. One place that I use IFTTT is to save a backup of each of my blog articles directly to a OneNote file I have saved in OneDrive. I use Zapier to automate my free SharePoint email course offering.

The important consideration here is that the automation does not have to be purely focused on a technical outcome. It can be used in many places inside a business, including marketing.

The Microsoft equivalent of tools like IFTTT is known as Microsoft Flow. It allows to connect to both Microsoft 365 and third party services and map a process around these. The great thing about Flow is that it can integrated to includes on premises resources as well as be extended. More power is also available with tools like Azure Logic App and Azure Functions, which can be easily integrated into Microsoft 365.

Introduction to Microsoft Flow

Automation is also available in Microsoft Teams by utilising either the built in bots or even going far as to build your own. You will also find that Teams has a Flow bot that you can incorporated. This shows you the power of the power of the Microsoft solution via the integration of tools throughout the stack. Delivering automation for a business through a services like Teams makes a lot of sense as many of your users are already here most of the time.

The automation tool that most IT Professionals should be focusing on without doubt is PowerShell. Unfortunately, this seems to be the one that garners the most resistance and there is no doubt that getting started with PowerShell can be challenging. However, there are options like Azure Cloud Shell that make this much easier and also allow you to access PowerShell through a browser or even a mobile app.

The way forward with PowerShell is to use it’s ability to integrate and take advantage of the Microsoft Graph. This avoids the need to load multiple cumbersome service modules. If you are looking to invest your time in PowerShell with Microsoft 365 then you should be investigating how to take advantage of the Microsoft Graph using it.

As a final point to consider, I’d recommend you take a look at the following video from Daniel Pink, especially at this point (from about 29 minutes in):

https://youtu.be/CUDqN7MNsRw?t=1662

Microsoft 365 Business adds shared computer activation (SCA) rights

Image may contain: text

The above from is from the message center of a Microsoft 365 Business tenants confirming that Shared Computer Access (SCA) will very soon to be available in Microsoft 365 Business SKUs. This will allow those SKUs to install Office desktop software on things such as on premises servers with a Remote Desktop Services (RDS) role (aka on a Terminal Server).

To do so previous required an Enterprise (E) license. This is big news for Microsoft 365 Business and further improves the value of this SKU!