Will Dormann

If it's a small number, then I suspect that macros disabled by default (and I mean actually disabled, not that silly "Enable Content" button that anybody can click) might go a long way in protecting people. I'm not an real sysadmin, so perhaps there are factors I'm not aware of?

I fully agree with you. To me, macros should be disabled by default in Office, without a button to enable them too easily, as it was the case with Office 2000 to 2003. It should be an administrator decision to allow end-users to run macros in an enterprise environment.

For some reason I missed your article from 2016, and it's really a great resource. It shows very clearly that the Office 2010 UI was a step backward for security with the Enable Content button. I think it's the main reason behind the resurgence of macros in 2014.

Just about anyone using Excel professionally will scream bloody murder if you try to turn the macros off globally. A more nuanced approach is necessary - e.g., turn macros off only in some Office applications, restrict macros to trusted sources, etc.

Ideally they'd roll out the Office sandboxing (Hyper-V) to every windows machine that has hardware support for it, instead of office365+ and windows enterprise E5's