Macro Runtime Scan Scope

This policy setting specifies the behavior for both the VBA and Excel 4.0 (XLM) runtime scan features. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel. Macros can only be scanned if the anti-virus software registers as an Antimalware Scan Interface (AMSI) provider on the device.

If you enable this policy setting, you can choose from the following options to determine the macro runtime scanning behavior:

- Disable for all files (not recommended): If you choose this option, no runtime scanning of enabled macros will be performed.

- Enable for low trust files: If you choose this option, runtime scanning will be enabled for all files for which macros are enabled, except for the following files:
- Files opened while macro security settings are set to "Enable All Macros"
- Files opened from a Trusted Location
- Files that are Trusted Documents
- Files that contain VBA that is digitally signed by a Trusted Publisher

- Enable for all files: If you choose this option, then low trust files are not excluded from runtime scanning.

The VBA and XLM runtimes report to an antivirus system certain high-risk code behaviors the macro is about to execute. This allows the antivirus system to indicate whether or not the macro behavior is malicious. If the behavior is determined to be malicious, the Office application closes the session and the antivirus system can quarantine the file. If the behavior is non-malicious, the macro execution proceeds.

Note: When macro runtime scanning is enabled, the runtime performance of affected VBA projects and XLM sheets may be reduced.

If you disable this policy setting, no runtime scanning of enabled macros will be performed.

If you don't configure this policy setting, "Enable for low trust files" will be the default setting.

Note: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise.

Supported on: At least Windows 10 Server, Windows 10 or Windows 10 RT




  1. Disable for all documents
    Registry HiveHKEY_CURRENT_USER
    Registry Pathsoftware\policies\microsoft\office\16.0\common\security
    Value Namemacroruntimescanscope
    Value TypeREG_DWORD
    Value0
  2. Enable for low trust documents
    Registry HiveHKEY_CURRENT_USER
    Registry Pathsoftware\policies\microsoft\office\16.0\common\security
    Value Namemacroruntimescanscope
    Value TypeREG_DWORD
    Value1
  3. Enable for all documents
    Registry HiveHKEY_CURRENT_USER
    Registry Pathsoftware\policies\microsoft\office\16.0\common\security
    Value Namemacroruntimescanscope
    Value TypeREG_DWORD
    Value2


office16.admx

Administrative Templates (Computers)

Administrative Templates (Users)