Microsoft has disabled ActiveX controls by default in Microsoft 365 and Office 2024. The change rolled out to Office 2024 in October 2024 and to Microsoft 365 apps beginning April 2025. Word, Excel, PowerPoint, and Visio are all affected. Existing ActiveX objects in documents are preserved as static images — functional controls are blocked.
Understanding the Security Implications of ActiveX Deprecation
ActiveX, introduced in 1996, has become increasingly vulnerable to exploitation by threat actors. Security researchers have documented numerous cases where cybercriminal groups leverage ActiveX vulnerabilities to deploy sophisticated malware, including TrickBot and Cobalt Strike. This legacy framework, while originally designed to enable interactive elements in Office documents, has evolved into a significant security liability for organizations worldwide.
Technical Implementation and User Impact
The security update will implement a complete block of ActiveX functionality across Word, Excel, PowerPoint, and Visio applications. Users attempting to open documents containing ActiveX controls will receive security notifications and access to detailed information through a “Learn More” option. Existing ActiveX objects will be preserved as static images, effectively neutralizing their potential security risks while maintaining document integrity.
Security Configurations and Best Practices
While organizations can still enable ActiveX through Trust Center settings, Microsoft’s security team strongly advises against this practice. The recommendation aligns with the principle of least privilege and modern security frameworks that prioritize system hardening over legacy compatibility. Security administrators should conduct comprehensive audits of their Office documents to identify and remediate ActiveX dependencies before the update rolls out.
Microsoft’s Broader Security Roadmap
This initiative is part of Microsoft’s comprehensive security strategy that began in 2018. The company has systematically restricted potentially dangerous features, including VBA macros, XLM macros, and XLL add-ins. The announced deprecation of VBScript in May 2024 further demonstrates Microsoft’s commitment to eliminating legacy attack vectors.
Organizations and end users affected by the ActiveX change
Users of Microsoft 365 on Windows (from April 2025) and Office 2024 (from October 2024) who have documents containing active ActiveX controls will be unable to interact with those controls by default. Most home users are unaffected — ActiveX was primarily used in enterprise forms, legacy macros, and custom business applications. Organizations with document workflows built on ActiveX must audit their templates and forms before or shortly after the April 2025 rollout.
What enterprises should do before and after the change
- Audit Office documents for ActiveX dependencies using the Trust Center or Group Policy’s “List of managed add-ins” report
- Migrate ActiveX forms to modern alternatives: Power Apps, Content Controls, or web-based forms where possible
- If a specific ActiveX control is still required, it can be re-enabled per document via File → Options → Trust Center → ActiveX Settings — but Microsoft strongly recommends against this in public-facing documents
- Deploy via Group Policy: admins can set the ActiveX default centrally using the Block all Active X controls in Office documents policy
