In the January 2019 update of the Australian Signals Directorate's (ASD) Information Security Manual (ISM) there is a new requirement to block Adobe Flash in Microsoft Office.  This article takes you through how to make this configuration change.

In the January 2019 ISM update ASD introduced control 1541, which applies to all classification levels and has a priority of "Must".

Security Control: 1541; Revision: 0; Updated: Jan-19; Applicability: O, P, S, TS; Priority: Must
Microsoft Office is configured to disable support for Flash content

Microsoft state that the following settings would impact the following scenarios:

"Controls directly embedded in an Office document, for example, Flash video directly embedded within a PowerPoint document using the Insert Object functionality" and "Controls invoked by extensibility components within the Office process, for example, Power View add-in that uses Silverlight", however "this does not cover scenarios where these controls are activated outside the Office process, for example, a Flash video inserted into a document via the Insert Online Video functionality."

Disable Adobe Flash in Office 365

If you have a subscription for Office 365 then your in luck as Microsoft enabled this for you (as well as Shockwave and Silverlight) on the following dates:

  1. Controls are blocked in Office 365 Monthly Channel started in June 2018.
  2. Controls are blocked in Office 365 Semi Annual Targeted (SAT) Channel started in September 2018.
  3. Controls are blocked in Office 365 Semi Annual (SA) Channel started in January 2019.

For those of you on earlier versions of Microsoft Office, such as Office 2010, Office 2013, or Office 2016 there are registry keys that can block any instances of COM objects being loaded within the Office process through other means like Add-Ins. There are two CLSIDs for Adobe Flash Shockwave Flash Object (D27CDB6E-AE6D-11cf-96B8-444553540000) and Macromedia Flash Factory Object (D27CDB70-AE6D-11cf-96B8-444553540000) which should be blocked.

Disable Adobe Flash in Office 2010 and 2013

To disable Adobe Flash in Office 2010 or Office 2013 you'll need to create following registry subkeys and REG_DWORD.

For 64 bit Office on 64 bit Windows (or 32 bit Office on 32 bit Windows):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}
"Compatibility Flags"=dword:00000400

For 32 bit Office on 64 bit Windows:

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

Disable Adobe Flash in Office 2016

To disable Adobe Flash in Office 2016 you'll need to create following registry subkeys and REG_DWORD.

For 64 bit Office on 64 bit Windows (or 32 bit Office on 32 bit Windows).

[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\{D27CDB70-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

For 32 bit Office on 64 bit Windows.

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\COM Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

I'd recommend adding the settings for all combinations of CPU architecture and Office Version so that you're covered for any scenario of Office being installed on your devices.

If you need to only block COM in linking and embedding scenarios you can find out more on the below Microsoft article.

Sources:

Microsoft.com: Security Settings for COM objects in Office

Microsoft.com:  Blocking Flash, Shockwave, Silverlight controls from activating in Office Applications for Security