Microsoft Disables ActiveX Controls by Default in Microsoft 365 to Boost Security
Microsoft has taken a major step to strengthen security within its productivity tools by disabling ActiveX controls by default in Microsoft 365 apps.
This critical update, which began rolling out earlier this month, is designed to minimize the risk of malware and unauthorized code execution—issues long associated with the aging ActiveX technology.
ActiveX Blocking Starts April 2025
Starting in April 2025, Microsoft Word, Excel, PowerPoint, and Visio on Windows will automatically block ActiveX controls without prior notification. This mirrors a similar move made in the standalone Office 2024 package released in October 2024.
What Changes for Users?
Previously, the default setting allowed users to enable ActiveX with minimal restrictions—leaving room for attackers to exploit the feature through malicious files or social engineering tactics.
Now, a stricter default setting will block these controls entirely. Users opening a file containing ActiveX will see a message stating: “BLOCKED CONTENT: The ActiveX content in this file is blocked,” along with a link to learn more. Organizations can manage this setting via the Cloud Policy service for Microsoft 365.
A Security Risk in Legacy Technology
Introduced in 1996, ActiveX enabled interactive elements in Office documents but has remained a security concern due to its deep system access. Cybersecurity professionals have long urged Microsoft to phase it out.
“Making its subscription customers wait just a little longer for better security is emblematic of Microsoft’s cautious, phased approach,” according to a ThreatDown security analysis.
With ActiveX disabled, users will no longer be able to create or interact with ActiveX components in Microsoft 365 documents. Existing controls may appear as static visuals, lacking any interactive functionality.
Security Best Practices and Opt-Out Instructions
Microsoft advises users to stay vigilant when prompted to change ActiveX settings and avoid:
- Opening unexpected file attachments, even from known sources
- Trusting requests from unknown senders to enable ActiveX
- Responding to pop-ups asking for ActiveX adjustments
Users who still need ActiveX can re-enable it via:
File > Options > Trust Center > Trust Center Settings > ActiveX Settings, then selecting
“Prompt me before enabling all controls with minimal restrictions”
Alternatively, setting the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\DisableAllActiveX to 0 (REG_DWORD) restores the previous behavior.
Rollout and Future Commitment
The update is currently available for Beta Channel users and is being released to Current Channel (Preview) users with Version 2504 (Build 18730.20030) or newer.
This move underscores Microsoft’s broader effort to phase out legacy features while aligning its productivity suite with modern security standards.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
