Great question—this is a common pain point when trying to lock down macro security across all users without tedious per-user configuration. Let’s break down why your HKLM tweak didn’t stick and the reliable, global solutions to fix this:

Why Your Initial HKLM Registry Change Failed #

Chances are one of these issues is blocking the setting from taking effect:

• Wrong registry path: If you’re running 32-bit Office on a 64-bit system, you need to target HKLM:\Software\Wow6432Node\... instead of the default HKLM:\Software\... path.
• Incorrect value type: The BlockContentExecutionFromInternet entry must be a DWORD set to 1—using other types (like String) won’t be recognized by Office.
• Office was running: Office programs cache registry settings on launch; you need to restart them after making changes for the new setting to load.

1. Use Group Policy (Recommended for Global Enforcement) #

This is the most reliable method, as it directly maps to Office’s official security framework and automatically applies to all existing and new users:

1. Download and install the Office Administrative Template Files (ADMX/ADML) for your Office 16.0 version (covers 2016/365/2019/2021).
2. Open the Local Group Policy Editor by running gpedit.msc as Administrator.
3. Navigate to:
   Computer Configuration > Administrative Templates > Microsoft Office 2016 > [Office Program] > Security Settings
   (Replace [Office Program] with Word, Excel, PowerPoint, Outlook, etc.)
4. Find the policy named Block macros from running in files from the internet (wording may vary slightly by Office version) and set it to Enabled.
5. Repeat this for every Office program you want to lock down. The policy will automatically create the correct HKLM registry entries for all users.

2. Scripted HKLM Registry Configuration (For Quick Deployment) #

If you prefer using registry scripts, use this PowerShell script to apply the setting to all major Office programs, covering both 32-bit and 64-bit Office installations:

# Define target Office programs and registry paths
$officePrograms = @("word", "excel", "powerpoint", "outlook", "access")
$baseRegistryPaths = @(
    "HKLM:\Software\policies\microsoft\office\16.0",
    "HKLM:\Software\Wow6432Node\policies\microsoft\office\16.0"
)

# Loop through paths and programs to create the required keys/values
foreach ($basePath in $baseRegistryPaths) {
    foreach ($program in $officePrograms) {
        $fullPath = Join-Path $basePath "$program\security"
        # Create the path if it doesn't exist
        if (-not (Test-Path $fullPath)) {
            New-Item -Path $fullPath -Force | Out-Null
        }
        # Set the DWORD value to block internet macros
        New-ItemProperty -Path $fullPath -Name "BlockContentExecutionFromInternet" -Value 1 -PropertyType DWORD -Force | Out-Null
    }
}

Write-Host "Global internet macro block settings applied successfully. Restart Office programs for changes to take effect."

• Run this script as Administrator. It ensures the setting is applied to both 64-bit and 32-bit Office environments, covering all specified programs.
• Remind users to restart their Office apps after running the script.

3. Office Customization Tool (OCT) For Deployment #

If you’re deploying Office across multiple machines, use the OCT to bake this security setting into the installation package:

1. Launch the OCT by running setup.exe /admin (requires a volume license version of Office).
2. Navigate to:
   Features > Modify user settings > Microsoft Office 2016 > [Office Program] > Security Settings
3. Enable the Block macros from running in files from the internet setting.
4. Save the customization file and use it to deploy Office. This will enforce the global setting for all users on every machine where Office is installed.

内容的提问来源于stack exchange，提问作者menjamin