Microsoft to Disable ActiveX Controls by Default in Microsoft Office 2024 to Enhance Security
The official release of Microsoft Office 2024 is just around the corner. Alongside introducing new features, Microsoft continues to bolster the office suite's security. A notable security measure is the disabling of ActiveX controls by default.
ActiveX controls are custom utilities based on the Component Object Model (COM) technology. Developers use this technology to create plugins that offer automated workflows or additional functionalities to users.
Why is Microsoft Limiting These Controls?
Given that these controls can execute programming and automation tasks, hackers have exploited ActiveX technology for attacks. Moreover, the actual usage of ActiveX technology has been declining.
Microsoft recently announced through the Microsoft 365 admin center (notice MC884011):
Starting with Microsoft Office 2024, the default configuration for ActiveX objects will change from "Prompt me before enabling all controls" to "Disable all controls without notification." This means no prompts will appear for ActiveX contained in future documents.
This change directly makes it harder for hackers to trick users into enabling ActiveX controls, as users will no longer see any prompts, effectively blocking the controls.
Although blocking controls might affect the loading of certain content, this is not a major issue. Some ActiveX objects will be displayed as static images, providing an overview without user interaction, preventing any malicious code from running.
The policy of disabling ActiveX controls without notifications applies by default to Word 2024, Excel 2024, PowerPoint 2024, and Visio 2024.
However, policies differ between Enterprise and Home editions. In Enterprise edition of Office 2024, users will not receive any ActiveX notifications, whereas Home edition users will find the new default settings equivalent to the existing DisableAllActiveX group policy setting.
These changes apply to the perpetual version of Office, while Microsoft 365 subscription versions will adopt this policy in April 2025. Users who still need to use ActiveX can reactivate these controls after understanding the security risks, through the following methods:
Methods to Reactivate ActiveX Controls:
- In the Trust Center settings dialog of Office applications, find ActiveX and choose to "Prompt me before enabling all controls with minimal restrictions."
- Modify the registry and change the DisableAllActiveX key value to 0. HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\DisableAllActiveX
Note: Method 1 is recommended because it allows users to select different security levels based on their needs, whereas Method 2 disables all ActiveX policies entirely.