This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 17%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Before blocking macro executions via GPO in my environment, I'm looking to monitor the macro usage. Any suggestion how to monitor the macros would be appreciated.
Thank you.
Based on my knowledge, your requirement needs the help of tools.
Such as for Microsoft 365 apps, there is a tool "Readiness Toolkit tool" for Office add-ins and VBA.
According to the article "Use the Readiness Toolkit to assess application compatibility for Microsoft 365 Apps", this tool could crearte a VBA readiness report, including an inventory of recently opened files that use VBA macros.
For more about this tool, you could also refer to following article.
Using Office Readiness/Telemetry Tools To Plan Macro/Add-On Hardening
(Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)
Hope this information could be helpful.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Harish Parameswaran
Please check whether my information is helpful.
If you have any updates or questions, you could post back.
Hi Emily, Worked like a charm. Cheers.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 36%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIF%3C/text%3E%3C/svg%3E)
I am wondering if this can help us to get logs for Outlook Macro file.
We have a macro which checks if the email is sent to external email and pops up asking for confirmation. I would like to have a central area for tracking to see if this works on all the devices across organization using Intune or EndPoint Manager.
Thanks in advance for your help :)
We found that Defender Portal logs were capturing .docm/.xlsm files being opened, including their paths.
You can also check out an area in the registry which records if someone's enabled a macro file:
"Now we know that every time a user clicks on 'Enable Editing; or 'Enable Content', Microsoft Office will add the path to the document as a Registry value under the program's TrustRecords key.
We also know that if the last four bytes of the trusted document's value data is set to FF FF FF 7F it means that the user enabled macros in the document"
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 12%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
@campbellkerr , I am wondering when you say "we found that Defender Portal logs were capturing .docm/.xlsm files being opened, including their paths." Could you please tell me where in the Defender Portal do I look for and find these specific logs, which node or how to generate the logs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 73%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
You can write a query in the Advanced threat hunting portal in Defender