Table of Contents
- Is Microsoft’s Bold Move to Disable ActiveX in Office 365 the Ultimate Win for Security?
- What Is ActiveX and Why Does It Matter?
- What’s Changing in Microsoft 365?
- Why Is Microsoft Making This Change?
- Security
- Modernization
- Consistency
- How Does This Impact You?
- Can You Still Use ActiveX If Needed?
- Manual Re-Enablement
- IT Control
- Security Warning
- How to Re-Enable ActiveX
- Rollout Timeline
Is Microsoft’s Bold Move to Disable ActiveX in Office 365 the Ultimate Win for Security?
Microsoft has announced a decisive change: starting April 2025, ActiveX controls will be disabled by default in Microsoft 365 (formerly Office 365) applications, including Word, Excel, PowerPoint, and Visio. This move aims to significantly strengthen security for users and organizations by eliminating a long-standing vulnerability.
What Is ActiveX and Why Does It Matter?
ActiveX is an older Microsoft technology introduced in 1996, designed to embed interactive content and automation into Office documents and web browsers. It was widely used in Internet Explorer, Visual Basic, and VBA-based Office automation. However, ActiveX has long been criticized for its inherent security flaws. It allows deep access to system resources, making it a preferred target for malware and cyberattacks.
What’s Changing in Microsoft 365?
- ActiveX controls will be blocked by default in all Windows versions of Microsoft 365 apps.
- When a document containing ActiveX content is opened, users will see a notification banner stating, “BLOCKED CONTENT: The ActiveX content in this file is blocked”.
- No interaction will be possible with existing ActiveX objects; they may appear as static images, but users cannot use or edit them.
- No notification will be shown when controls are blocked, further reducing the risk of accidental activation.
Why Is Microsoft Making This Change?
Security
ActiveX has been a persistent security risk, often exploited by attackers to run unauthorized code or install malware.
Modernization
Microsoft is phasing out legacy technologies to streamline and secure its Office ecosystem.
Consistency
This update aligns Microsoft 365 with Office 2024, where ActiveX was already disabled by default.
How Does This Impact You?
- Increased Protection: The risk of malware and unauthorized code execution via Office documents is dramatically reduced.
- Legacy Content: Documents with embedded ActiveX controls will lose interactive functionality. Some controls will display as images only.
- User Experience: Users will not be prompted to enable ActiveX, closing a common avenue for social engineering attacks.
Can You Still Use ActiveX If Needed?
Yes, but with caution:
Manual Re-Enablement
Advanced users and organizations can manually re-enable ActiveX through:
- Office application Trust Center settings
- Group Policy adjustments
- Registry edits
IT Control
Administrators can centrally manage ActiveX settings for users via Group Policy.
Security Warning
Re-enabling ActiveX increases your exposure to security risks and should only be done if absolutely necessary and in a controlled environment.
How to Re-Enable ActiveX
- Go to File > Options > Trust Center > Trust Center Settings > ActiveX Settings.
- Change to “Prompt before enabling all controls with minimal restrictions” or similar.
- Confirm and restart the Office application.
Rollout Timeline
- Office 2024: ActiveX disabled by default since October 2024.
- Microsoft 365: Change begins rolling out in April 2025, starting with Beta channel users and expanding to all users in stages.
Microsoft’s decision to disable ActiveX by default in Microsoft 365 is a strong, positive step toward a safer and more reliable Office experience. While it may pose challenges for legacy workflows, the security benefits far outweigh the inconvenience for most users.