Forge Home


Configure ACSC office macro controls


385 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.2.0 (latest)
  • 0.1.1 (deleted)
  • 0.1.0 (deleted)
released Mar 23rd 2022
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'benjaminrobertson-acsc_e8_office_hardening', '0.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add benjaminrobertson-acsc_e8_office_hardening
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install benjaminrobertson-acsc_e8_office_hardening --version 0.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



benjaminrobertson/acsc_e8_office_hardening — version 0.2.0 Mar 23rd 2022


Automate the enforcement of the ACSC essential eight Microsoft office macro security.

The module will restrict the use of macros within Office.

There are 4 operating modes

  • All macros allowed - default mode
  • All macros disabled - disable all macros in Office, most secure setting
  • Only macros from trusted locations - Only permit macros from locations specified in the trusted_location parameter
  • Only macros digitally signed by trusted publishers - Macros must be signed by a trusted publisher.

Please see ACSC documentation for more details. Saved link

Table of Contents

  1. Description
  2. Setup - The basics of getting started with acsc_e8_office_hardening
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module


Use this module to automate the enforcement of ACSC Essential 8 Office macro controls.


What acsc_e8_office_hardening affects

acsc_e8_office_hardening will add required registry settings to systems to restrict Office macros as required.

Most registry settings are applied to HKEY_USER. Due to this, Puppet will manage a significant number of resources as each user has their own registry hive. acsc_e8_office_hardening will also modify the default c:\users\Default\ntuser.dat. This is required for any new users who log on to the system. Without this, Puppet won't restrict that user until the next Puppet run. A suboptimal outcome. By default the module will mount and check the default ntuser.dat on each clean boot and every 24 hours thereafter.

Setup Requirements

Plugin sync is required for this module. Three facts will be automatically distributed

  • office_macro_local_sids
  • office_macro_last_run
  • office_macro_uptime

Following forge modules are required

  • puppetlabs-stdlib
  • puppetlabs-registry

Beginning with acsc_e8_office_hardening

The very basic steps needed for a user to get the module up and running. This can include setup steps, if necessary, or it can be an example of the most basic use of the module.


In most basic form, non-enforcement mode.

include acsc_e8_office_hardening

Block all macros

  class {'acsc_e8_office_hardening':
    macro_setting       => 'all_macros_disabled',

Permit macros from trusted location using a profile and hiera

class profile::office_hardening (
  Hash $trusted_locations = {}
  class {'acsc_e8_office_hardening':
    macro_setting       => 'macros_from_trusted_locations'',
    trusted_locations   => $trusted_locations,

Corresponding hiera data

    path: 'c:\\temp'
    date: '12/12/2021 12:00 PM'
    description: 'Temp on c for macros'
    allowsub: true

Explanation of trusted_location hash

  location1: - Name of hash
    path: 'c:\\temp' - Path to allow (string)
    date: '12/12/2021 12:00 PM' - Date, use format as shown (string) (Optional)
    description: 'Temp on c for macros' - Description of location (string) (Optional)
    allowsub: true - Permit subdirectory true\false (boolean) (Optional)


Supported office versions

  • Office 365
  • Office 2016
  • Office 2019

Developed and tested on

  • Windows 2019
  • Office 365


Please submit any issues to the issue tracker. Pull requests keenly accepted :)