Forge Home


Configure ACSC office macro controls


218 latest version

5.0 quality score

Version information

  • 0.1.0 (latest)
released Jan 11th 2022
This version is compatible with:
  • Puppet Enterprise 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'benjaminrobertson-acsc_e8_office_hardening', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add benjaminrobertson-acsc_e8_office_hardening
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install benjaminrobertson-acsc_e8_office_hardening --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



benjaminrobertson/acsc_e8_office_hardening — version 0.1.0 Jan 11th 2022


Automate the enforcement of the ACSC essential eight Microsoft office macro security.

The module will restrict the use of macros within Office.

There are 4 operating modes

  • All macros allowed - default mode
  • All macros disabled - disable all macros in Office, most secure setting
  • Only macros from trusted locations - Only permit macros from locations specified in the trusted_location parameter
  • Only macros digitally signed by trusted publishers - Macros must be signed by a trusted publisher.

Please see ACSC documentation for more details. Saved link

Table of Contents

  1. Description
  2. Setup - The basics of getting started with acsc_e8_office_hardening
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module


Use this module to automate the enforcement of ACSC Essential 8 Office macro controls.


What acsc_e8_office_hardening affects

acsc_e8_office_hardening will add required registry settings to systems to restrict Office macros as required.

Most registry settings are applied to HKEY_USER. Due to this, Puppet will manage a significant number of resources as each user has their own registry hive. acsc_e8_office_hardening will also modify the default c:\users\Default\ntuser.dat. This is required for any new users who log on to the system. Without this, Puppet won't restrict that user until the next Puppet run. A suboptimal outcome. By default the module will mount and check the default ntuser.dat on each clean boot and every 24 hours thereafter.

Setup Requirements

Plugin sync is required for this module. Three facts will be automatically distributed

  • office_macro_local_sids
  • office_macro_last_run
  • office_macro_uptime

Following forge modules are required

  • puppetlabs-stdlib
  • puppetlabs-registry

Beginning with acsc_e8_office_hardening

The very basic steps needed for a user to get the module up and running. This can include setup steps, if necessary, or it can be an example of the most basic use of the module.


In most basic form, non-enforcement mode.

include acsc_e8_office_hardening

Block all macros

  class {'acsc_e8_office_hardening':
    macro_setting       => 'all_macros_disabled',

Permit macros from trusted location using a profile and hiera

class profile::office_hardening (
  Hash $trusted_locations = {}
  class {'acsc_e8_office_hardening':
    macro_setting       => 'macros_from_trusted_locations'',
    trusted_locations   => $trusted_locations,

Corresponding hiera data

    path: 'c:\\temp'
    date: '12/12/2021 12:00 PM'
    description: 'Temp on c for macros'
    allowsub: true

Explanation of trusted_location hash

  location1: - Name of hash
    path: 'c:\\temp' - Path to allow (string)
    date: '12/12/2021 12:00 PM' - Date, use format as shown (string) (Optional)
    description: 'Temp on c for macros' - Description of location (string) (Optional)
    allowsub: true - Permit subdirectory true\false (boolean) (Optional)


Supported office versions

  • Office 365
  • Office 2016
  • Office 2019

Developed and tested on

  • Windows 2019
  • Office 365


Please submit any issues to the issue tracker. Pull requests keenly accepted :)