How to Audit Legacy Files Before a Windows 11 Rollout: The IT Team's Checklist

The Windows 11 rollout looks smooth in the lab. Then you push it to Finance and three people can't open their Excel files. One Access database that tracks inventory stops working entirely. Now you're fielding calls from department heads while trying to figure out which of 1,400 files on a shared drive are actually affected.

This doesn't have to happen. A structured legacy file audit before the rollout takes a few hours and prevents days of remediation. This guide gives you the discovery scripts, risk classification framework, and conversion priority matrix to do it right. Once your audit is complete, our IT manager's migration playbook covers the full project plan from conversion through sign-off.

Why Windows 11 Breaks Legacy Files

Three changes are responsible for most legacy file failures after a Windows 11 migration:

1. 64-bit Office drops the Jet engine. .mdb files run on Microsoft's Jet database engine, which was removed from 64-bit Office. On Windows 11 with 64-bit Office 365, .mdb files simply won't open without additional configuration — and ActiveX forms inside them will fail even with workarounds.
2. Macro trust policy changes (June 2022+). Microsoft changed how Office handles macro-enabled files downloaded from the internet or network shares. Macros that worked fine on Windows 10 are silently blocked on Windows 11 unless your Group Policy explicitly establishes trusted locations. This catches almost every organization off guard during rollout.
3. PtrSafe requirements for 64-bit VBA. Any VBA code that calls Windows API functions using old 32-bit Declare statements will throw a compile error on 64-bit Office. This includes common patterns in legacy .xls files built before 2010.

None of these are Office bugs — they're intentional security and architecture changes. But they're silent until a user opens the wrong file at the wrong time.

Step 1: Discover Every Legacy File in Your Environment

Start with a full inventory. Don't rely on user reports — users don't know what they have until they need it. Run these PowerShell scripts from a machine with read access to your file shares.

Scan a file share

# Scan a file share for all legacy Office files
$rootPath = "\\server\share"
$extensions = @("*.xls", "*.xla", "*.mdb", "*.xlsm", "*.xlsb", "*.mde", "*.ade")

Get-ChildItem -Path $rootPath -Recurse -Include $extensions -ErrorAction SilentlyContinue |
  Select-Object FullName, Extension, Length, LastWriteTime |
  Sort-Object Extension, LastWriteTime -Descending |
  Export-Csv -Path "C:\audit\legacy-files.csv" -NoTypeInformation

Write-Host "Scan complete. Results in C:\audit\legacy-files.csv"

Scan local workstations via remote session

# Run against a list of workstation hostnames
$workstations = Get-Content "C:\audit\workstations.txt"
$results = @()

foreach ($pc in $workstations) {
  try {
    $files = Get-ChildItem -Path "\\$pc\c$\Users" -Recurse `
      -Include "*.xls","*.mdb","*.xlsm","*.xla" `
      -ErrorAction Stop
    $results += $files | Select-Object @{n='Machine';e={$pc}}, FullName, Extension, LastWriteTime
  } catch {
    Write-Warning "Could not access $pc"
  }
}

$results | Export-Csv -Path "C:\audit\workstation-legacy-files.csv" -NoTypeInformation

Get a quick count by extension

Import-Csv "C:\audit\legacy-files.csv" |
  Group-Object Extension |
  Select-Object Name, Count |
  Sort-Object Count -Descending |
  Format-Table -AutoSize

Typical findings for a 100-seat organization: 200–800 .xls files, 10–50 .mdb files. The .mdb files are almost always the high-risk items despite the smaller count.

Step 2: Classify Files by Risk Tier

Not all legacy files carry the same risk. A 2003 budget spreadsheet nobody opens is not the same as an Access database running inventory calculations. Classify every file into one of three tiers before deciding what to do with it.

Tier	Definition	Examples	Action
Critical	Used in production workflows, automated processes, or opened by multiple users regularly	Inventory .mdb, payroll macro workbook, shared reporting template	Convert before rollout. No exceptions.
High	Actively used by one person or team, not automated. Significant disruption if unavailable.	Department budget tracker, client data export, sales pipeline .xlsm	Convert before rollout or within first 2 weeks.
Low	Not modified in 12+ months, or read-only archive. No active macros or database links.	Old reports, archived project files, reference spreadsheets	Defer or batch-convert after rollout.

How to classify quickly

Use the LastWriteTime column from your CSV as a first pass:

• Modified in the last 90 days → start as High, verify manually
• Modified 90 days to 2 years ago → start as Low, escalate if users confirm active use
• Modified 2+ years ago → Low, archive unless told otherwise

Then add department context. Files in shared Finance, HR, Operations, or Inventory folders should be reviewed with the department head regardless of modification date — business-critical files sometimes go unchanged for months between uses.

Step 3: Audit Critical and High Files for Complexity

For every Critical and High file, you need to know what's inside before you convert. The failure modes are predictable; you just need to check for them.

For .xls and .xlsm files with macros

• Open in Excel on a Windows 10 machine (pre-rollout). Open the VBA editor (Alt+F11).
• Check for Declare statements in any module. These are your PtrSafe candidates.
• Check for CreateObject or COM automation calls (Word, Outlook, Shell). These often fail on 64-bit.
• Check References (Tools → References) for missing or broken references. A red "MISSING:" entry means it will fail on a new machine.
• Check for ActiveX controls on worksheets (right-click any worksheet tab → View Code, look for MSForms references).
• Check for external data connections (Data → Queries & Connections). Connections pointing to .mdb sources are doubly at risk.

For .mdb files

• Open in Access on a 32-bit Office machine. Run the Database Documenter (Database Tools → Database Documenter) for a full object inventory.
• Check for linked tables pointing to other .mdb files, Excel sheets, or ODBC sources. Each link is a dependency that must be re-validated after conversion.
• Check for VBA modules (Navigation Pane → Module objects). Any Declare statements need PtrSafe updates.
• Check for ActiveX controls in forms (form design view → control types in the Selection Type box). ActiveX controls may need replacement after conversion to .accdb.
• Check for Jet SQL-specific syntax: IIF(), TRANSFORM, PIVOT — verify these aren't using deprecated Jet-only functions.
• Record the database size. Files over 1 GB are at higher risk of compaction issues during conversion.

Step 4: Build Your Conversion Priority Matrix

With your inventory classified and complexity noted, build a simple matrix to drive your rollout timeline. Keep it in a shared location so department heads can confirm ownership:

File	Type	Tier	Complexity	Owner	Convert By
inventory.mdb	.mdb	Critical	High (linked tables, ActiveX)	Ops Team	Before rollout
payroll-2024.xls	.xls	Critical	High (PtrSafe, COM)	Finance	Before rollout
sales-pipeline.xlsm	.xlsm	High	Medium (basic macros)	Sales	Week 1 of rollout
budget-archive-2019.xls	.xls	Low	None	Finance	Batch after rollout

Step 5: Address the Macro Trust Policy Before You Push the OS

This is the step most IT teams skip — and it generates the most helpdesk tickets after rollout.

Microsoft's June 2022 Office update changed macro defaults: files originating from internet or network shares are blocked by Mark of the Web (MOTW) even if users previously unblocked them on Windows 10. This setting does not migrate with the user profile.

Before rollout, create a Group Policy Object to restore trusted locations:

# GPO path for trusted locations (Office 2016/2019/365)
# User Configuration → Administrative Templates → Microsoft Excel 2016 →
#   Excel Options → Security → Trust Center → Trusted Locations
#
# Key setting: "Allow Trusted Locations not on the computer" = Enabled
# Add your file share paths under "Trusted Location #1" through "Trusted Location #20"

# Verify the policy is applied after deployment:
gpresult /r /scope:user | findstr "Trusted"

Set trusted locations for your Finance, HR, and Operations shares before pushing Windows 11. This one GPO prevents the majority of "my macros stopped working" calls.

Step 6: Validate Converted Files Before Production

Don't convert and immediately deploy. Build a 3–5 day validation window into your rollout timeline:

1. Set up a Windows 11 test machine with the same Office version users will receive.
2. Open each Critical converted file and run through a test script with the file's owner.
3. For .mdb → .accdb conversions: test every form, report, query, and macro. Confirm linked tables resolve correctly.
4. For .xls → .xlsx conversions with macros: enable macros, run the primary workflow, check that all formulas calculate and external data connections resolve.
5. Document validation results (Pass / Pass with issues / Fail) in your matrix.

Any file that fails on the test machine needs remediation before rollout — not after.

The Full Pre-Rollout Checklist

• Discovery scripts run across all file shares and workstations
• Every .xls, .mdb, .xlsm, .xla, .mde file inventoried in a CSV
• All Critical files identified and confirmed with department heads
• All Critical files audited for macros, VBA complexity, and linked dependencies
• All Critical files converted and validated on a Windows 11 test machine
• High files converted or scheduled for Week 1
• Low files batched for post-rollout conversion
• GPO deployed for macro trusted locations on all relevant file shares
• 64-bit ACE redistributable deployed to machines that need .accdb compatibility without full Access install
• Helpdesk briefed on common failure patterns and identification steps
• Rollback plan documented for Critical file failures (prior .xls/.mdb backups retained)

How Long Does All This Take?

For a 100–250 seat organization with 500–1,000 legacy files:

Phase	Estimated Time
Discovery (file shares only)	1–2 hours
Discovery (workstations added)	2–4 hours
Risk classification	Half day
Critical file complexity audit	1–2 days
Conversion (manual)	1–3 weeks
Conversion (with LegacyLeaps)	Hours to 1 day
Validation	3–5 days

The conversion step is where most teams lose time. Manual conversion of a complex .mdb with VBA macros and linked tables can take a full day per file. If you have 20 High-risk files, that's 20+ days — compressed into a pre-rollout sprint that rarely has that kind of margin.

Frequently Asked Questions

Do .xls files still work on Windows 11?

.xls files will open in modern Excel on Windows 11, but compatibility issues increase with each Office update. Files with VBA macros are especially vulnerable — macro trust policies changed significantly in 2022, and 64-bit Office does not fully support all 32-bit Jet/VBA patterns found in older .xls files.

Do .mdb files work on 64-bit Windows 11?

.mdb files require the Jet database engine, which Microsoft removed from 64-bit Office. On 64-bit Windows 11 with 64-bit Office 365, .mdb files will not open without installing a 32-bit ACE redistributable — and even then, ActiveX forms and 32-bit VBA APIs will fail.

Should I convert files before or after the Windows 11 rollout?

Always convert Critical files before the rollout. Converting after means users will hit errors in production. Migrating proactively on the old OS lets you test on both platforms and roll back if needed.

How long does a legacy file audit take?

Discovery takes 1–4 hours depending on file share size. Risk classification takes 2–8 hours. Manual complexity audit of Critical files takes 1–2 days. Full migration of a 500-file estate typically takes one IT team member 1–2 weeks, or hours using a tool like LegacyLeaps.

← Back to all posts