Enhanced Security in Microsoft 365: ActiveX Disabled by Default to Combat Hackers

Key Security Update for Microsoft 365 Users

Microsoft has strategically improved user security across its 365 suite by setting ActiveX controls to disabled as the default configuration in its applications. This pivotal update commenced earlier this month, targeting a significant decrease in the vulnerability to malware and unauthorized code executions associated with outdated ActiveX technology.

From April 2025, ActiveX controls will be automatically blocked in the Windows versions of Microsoft Word, Excel, PowerPoint, and Visio, enhancing protection without user prompt.

Comprehensive Security Improvements

Building on past measures seen in Office 2024, this adjustment mirrors Microsoft’s ongoing commitment to secure its software ecosystem more robustly. Zaeem Patel, Office Security Product Manager, explains that this shift from the previous ‘Prompt me before enabling all controls with minimal restrictions’ setting marks a significant stride towards mitigating potential security threats spiritedly.

By activating the DisableAllActiveX default setting, any document containing ActiveX controls will flag a “BLOCKED CONTENT” alert, prompting further user action to understand or alter control settings.

Options for Organizations Requiring Legacy ActiveX

Organizations that still depend on ActiveX functionalities aren’t left out. Modifications can be made through Group Policy settings or by deploying cloud policies via the Microsoft 365 Cloud Policy service.

The Risks of Legacy Technology

Since its introduction in 1996, ActiveX has been an integral part of Microsoft’s software development framework, providing deep system integration capabilities but consequently attracting misuses by cyber adversaries.

Security experts have incessantly advocated for these changes, considering them essential to distancing Microsoft’s software portfolio from once-permissive, exploitable features,

Adapting to New Security Standards

With ActiveX disabled, user interaction with ActiveX objects in Microsoft 365 documents will be restricted, treating existing objects as non-functional, static images. Microsoft emphasizes that users exercise vigilance, especially when prompted to adjust ActiveX settings.

• Steer clear of unsolicited file attachments.
• Maintain a cautious stance if urged to modify ActiveX settings by unfamiliar contacts.
• Be skeptical of pop-up messages that request changes to ActiveX settings.

To re-enable ActiveX functionalities:

• Navigate through File > Options > Trust Center.
• Access Trust Center Settings and proceed to ActiveX Settings.
• Select “Prompt me before enabling all controls with minimal restrictions” and confirm by clicking OK.

This security update is already accessible to Beta Channel users and is progressively rolling out to Current Channel (Preview) users with Version 2504 (Build 18730.20030) or newer.

This sweeping change is a part of Microsoft’s broader strategy to align its legacy systems with contemporary security demands, ensuring a balanced approach towards innovation and user safety.