question

MikeLehmann-8939 avatar image
0 Votes"
MikeLehmann-8939 asked MikeLehmann-8939 commented

Excel macros are not being blocked from MS teams

We need to block Excel macros from Internet sources. I have enabled the following settings in GPO Excel trust Center settings:

Block macros from office files from the Internet = Enabled
Allow trusted locations on the network = Disabled
Turn off trusted documents on the network = Enabled

The result of this is that an internet macro wont open from either c: or the users Onedrive, BUT any file that is shared over MS Teams will always open and it never has the banner at the top 'be careful about files from the Internet" and the macros execute unhindered always.

How can I make Teams either not be inherently trusted or recognise the file was sourced from the Internet correctly.

Thanks

windows-group-policyoffice-excel-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamsonPeng-MSFT avatar image
0 Votes"
SamsonPeng-MSFT answered MikeLehmann-8939 commented

Hello there,

As far as my research,files that you upload to a channel are stored in your team's SharePoint folder,which means they are actually SharePoint files.

According to the notes in
https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
The macro will not be blocked when the file is opened from within the tenant (OneDrive for Business or SharePoint Online) of the user signed into the client, i.e., your own tenant. That explains why your GPO fails when open files that shared over Teams
112310-07071.png


You may try this method to Turn off Trusted Documents feature for network locations
https://support.microsoft.com/en-us/topic/trusted-documents-cf872bd8-47ec-4c02-baa5-1fdba1a11b53#:~:text=Turn%20off%20Trusted%20Documents%20feature%20for%20network%20locations,in%20the%20Trust%20Center.%20Click%20the%20File%20tab.

File> Options> Trust Center> Trust Center Settings> Trusted Documents> Allow documents on a network to be trusted

112413-07072.png


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

Best Regards,
Samson Peng





07071.png (19.5 KiB)
07072.png (158.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

However, accroding to my colleague‘s test, after performing the three listed GPOs, Teams correctly shows the notification
112406-07073.png

So it is also recommended to check your configuration to see if GPOs have performed well

0 Votes 0 ·
07073.png (9.8 KiB)

I get that too, but it allows you to click on "Enable Content' then the maco runs, this is not supposed to happen. On the devices that it works as expected, after clicking the button, another red banner appears saying the administrator has blocked the content

0 Votes 0 ·
MikeLehmann-8939 avatar image
0 Votes"
MikeLehmann-8939 answered

Thanks, but I mentioned in the OP that I have already turned off both trusted locations settings, but it has no effect on opening files shared over Teams
Logically, this makes no sense anyway, as if you explicitly said to disallow macros from the Internet, yet MS allows it to run regardless because you saved it to Sharepoint/Onedrive?. Seems like a stupidly easy way to bypass the deny rule. In any case, I have disabled trusted locations and it still doesn't work

Further, the whole thing is completely inconsistent, some user can open the file (from outlook or other location other than Teams), others can't and are blocked by trust centre settings. Office365 does not consistently open in protected mode when a file containing macros is opened

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.