After Office 2024 launches in October, Microsoft will disable ActiveX controls by default in Word, Excel, PowerPoint, and Visio client apps.
ActiveX is a legacy software framework introduced in 1996 that enables developers to create interactive objects that can be embedded in Office documents. Redmond will start by turning off ActiveX controls in documents opened in Win32 Office desktop apps in October 2024, a change that will also roll out to Microsoft 365 apps in April 2025.
“Starting in new Office 2024, the default configuration setting for ActiveX objects will change from Prompt me before enabling all controls with minimal restrictions to Disable all controls without notification,” the company said in a new Microsoft 365 message center entry.
“Users will no longer be able to create or interact with ActiveX objects in Office documents when this change is implemented.”
While some existing ActiveX objects will continue to appear as static images in Office documents, users will no longer be able to interact with them.
However, in non-commercial versions of Office, they will receive notifications stating, “The new default setting is equivalent to the existing DisableAllActiveX group policy setting” when ActiveX objects are blocked under the new default configuration.
Once the change is implemented, users who need to enable ActiveX controls in Office documents can revert to the previous default settings by using one of the following methods:
- In the Trust Center Settings dialog, under ActiveX Settings, select the ‘Prompt me before enabling all controls with minimal restrictions’ option.
- In the registry, set HKEY_CURRENT_USERSoftwareMicrosoftOfficeCommonSecurityDisableAllActiveX to 0 (REG_DWORD).
- Set the ‘Disable All ActiveX’ group policy setting to 0.
This change was likely prompted by ActiveX’s well-known security issues, such as zero-day vulnerabilities exploited by Andariel North Korean hackers to deploy information-stealing malware.
Attackers have also used ActiveX controls embedded in Word documents to install TrickBot malware and Cobalt Strike beacons to infiltrate enterprise networks,
The move is part of a broader effort to remove or turn off Office and Windows features that threat actors have abused to infect Microsoft customers with malware. It dates back to 2018 when Microsoft expanded support for its Antimalware Scan Interface (AMSI) to Office 365 client apps to thwart attacks that used Office VBA macros.
Since then, Redmond has also disabled Excel 4.0 (XLM) macros, started blocking VBA Office macros by default, introduced XLM macro protection, and began blocking untrusted XLL add-ins by default across Microsoft 365 tenants worldwide.
It also announced in May that it will kill off VBScript in the second half of 2024 by making it an on-demand feature until it’s completely removed.