Policy
Macro Runtime Scan Scope
Microsoft Office 5532.1000
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10
This policy setting specifies the behavior for both the VBA and Excel 4.0 (XLM) runtime scan features. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel. Macros can only be scanned if the anti-virus software registers as an Antimalware Scan Interface (AMSI) provider on the device. If you enable this policy setting, you can choose from the following options to determine the macro runtime scanning behavior: - Disable for all files (not recommended): If you choose this option, no runtime scanning of enabled macros will be performed. - Enable for low trust files: If you choose this option, runtime scanning will be enabled for all files for which macros are enabled, except for the following files: - Files opened while macro security settings are set to “Enable All Macros” - Files opened from a Trusted Location - Files that are Trusted Documents - Files that contain VBA that is digitally signed by a Trusted Publisher - Enable for all files: If you choose this option, then low trust files are not excluded from runtime scanning. - Enable for files, excluding documents marked as trusted by an admin: If you choose this option, runtime scanning will be enabled for all files for which macros are enabled, except for the following files: - Files opened from a Trusted Location - Files that contain VBA that is digitally signed by a Trusted Publisher The VBA and XLM runtimes report to an antivirus system certain high-risk code behaviors the macro is about to execute. This allows the antivirus system to indicate whether or not the macro behavior is malicious. If the behavior is determined to be malicious, the Office application closes the session and the antivirus system can quarantine the file. If the behavior is non-malicious, the macro execution proceeds. Note: When macro runtime scanning is enabled, the runtime performance of affected VBA projects and XLM sheets may be reduced. If you disable this policy setting, no runtime scanning of enabled macros will be performed. If you don’t configure this policy setting, “Enable for low trust files” will be the default setting. Note: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
L_MacroRuntimeScanScopeEnum ID L_MacroRuntimeScanScopeEnum | enum | HKCU\software\policies\microsoft\office\16.0\common\security\macroruntimescanscope Type REG_DWORD | Options: Disable for all documents (0), Enable for low trust documents (1), Enable for all documents (2), Scan excluding documents marked as trusted by an admin (3) |
Other policies in this category
Explore related policies at the same level.
- UserActiveX Control InitializationWindows7
- UserAllow Basic Authentication prompts from network proxiesWindows7
- UserAllow file extensions for OLE embeddingWindows7
- UserAllow root or intermediate certificates as VBA trusted publishersWindows 10
- UserAllow specified hosts to show Basic Authentication prompts to Office appsWindows7
- UserAllow VBA to load typelib references by path from untrusted intranet locationsWindows 10
- UserAutomation SecurityWindows7
- UserBlock additional file extensions for OLE embeddingWindows7
- UserBlock all internet macros (ignore trusted locations or publishers)Windows 10
- UserBlock Insecure ProtocolsWindows7
- UserBlock loading of COM/VSTO add-ins registered in HKCUWindows 10
- UserBlock OLE GraphWindows7