Your VBA macros worked on Windows 10. Now they don't. You've checked the Trust Center, lowered the macro security setting, and the workbook still won't run its code. You might have even tried re-enabling the macro in the security warning bar — only to see it blocked again the next time.
This happens to a lot of organizations after a Windows 11 upgrade, and the fix isn't always obvious. Code signing is usually part of the answer — but signing alone doesn't solve everything if you're also dealing with legacy .xls files that need to be migrated. If your macros are also failing because of 64-bit API declarations, see our guide on fixing VBA PtrSafe errors on Windows 11. This post covers both the signing and migration sides.
Two things changed that affect macro behavior on Windows 11:
When you download a file from the internet or receive it via email, Windows attaches a hidden attribute called the Mark of the Web (MOTW). Starting with Microsoft 365 updates in 2022 (and enforced more broadly on Windows 11), Office automatically disables VBA macros in MOTW-flagged files with no prompt to enable them.
If your workbooks are distributed via SharePoint, email, or downloaded from internal portals, they may be picking up this flag. Even files copied from a USB drive to a non-trusted location can trigger it.
If you've been using SelfCert.exe to sign your VBA projects — Office's built-in self-signing tool — your signature only works on the machine that generated the certificate. Other machines must have that certificate manually added to their Trusted Publishers certificate store, or the macro will be blocked regardless of security settings.
This wasn't a problem when everyone worked on the same machine or a small number of shared workstations. It becomes a problem the moment someone gets a new laptop with a fresh Windows 11 install.
A digital signature on a VBA project proves two things:
When Office detects a signed macro from a Trusted Publisher, it runs it without prompting. When it detects an unsigned macro (or a macro from an untrusted publisher), it blocks it — more aggressively on Windows 11 than on previous versions.
Code signing is the right long-term solution. It's also a prerequisite if your organization's Group Policy enforces the "Disable all macros except digitally signed macros" setting.
| Factor | Self-Signed (SelfCert.exe) | Commercial Code Signing Cert |
|---|---|---|
| Cost | Free | $100–$500/year (DigiCert, Sectigo, etc.) |
| Trusted by default | Only on the machine that created it | All Windows machines (via chain of trust) |
| Deployment | Manual cert import on each machine | Works immediately everywhere |
| Best for | Single machine, personal use | Distributed workbooks, IT teams, organizations |
| MOTW files | May still be blocked | Trusted publisher status bypasses MOTW block |
If you're deploying workbooks to more than one machine, a commercial certificate is the right choice. The cost is low relative to the time saved managing manual certificate imports.
Whether you're using a self-signed certificate or a commercial one, the signing process in Excel is the same.
Self-signed: Open the Start menu and search for "Digital Certificate for VBA Projects" (or find SelfCert.exe in your Office installation folder, typically C:\Program Files\Microsoft Office\root\Office16\). Run it, enter a name for your certificate, and click OK.
Commercial: Purchase from DigiCert, Sectigo, or GlobalSign. They'll provide a .pfx file. Import it to your certificate store via certmgr.msc → Personal → Certificates → Import.
Open your workbook. Press Alt + F11 to open the Visual Basic Editor.
On each machine that needs to run the macro, a user must see the certificate at least once and choose "Trust all documents from this publisher." This can also be pushed via Group Policy using the certificate's thumbprint — ask your IT team.
Here's where legacy file formats intersect with the code signing problem.
If your macros live in .xls files (the old binary Excel format), you're dealing with two problems at once:
The reliable path is to migrate .xls to .xlsm first, then sign the VBA project. This gives you a properly structured modern container with full support for current Office security mechanisms.
The catch: most conversion tools strip your VBA code when converting from .xls to .xlsm. You end up with a modern format file with no macros — which doesn't help anyone.
LegacyLeaps converts .xls to .xlsm while preserving every VBA module, form, and class. Your code arrives intact in the modern format — ready to be signed and trusted on Windows 11.
Run Free ScanSometimes you don't have access to the VBA source — the project is locked, the original developer is gone, or the password is lost. In that case:
After signing and saving the workbook, test it on a clean machine (one that hasn't previously trusted your publisher):
If you're using a commercial certificate and the macro still doesn't run, check that the file doesn't have the Mark of the Web attached. Right-click the file → Properties → General tab → look for an "Unblock" checkbox or "Security" section at the bottom. Check Unblock and click OK.
To summarize the correct sequence when dealing with legacy VBA workbooks on Windows 11:
Skipping step 2 — leaving files in .xls while trying to apply Windows 11 security solutions — produces inconsistent results. The .xlsm format is the right container for signed, modern-Excel-compatible VBA code.
Download LegacyLeaps and scan your files for free. See exactly what needs to be converted before you spend a penny.
Download Free ScannerWindows 11 updated its macro security defaults. Self-signed certificates must be in the Trusted Publishers list of each machine that runs the macro — not just the machine that signed it. If your certificate wasn't distributed to all machines before the upgrade, macros will be blocked even though they were signed. Additionally, files with the Mark of the Web are now blocked by default regardless of signing status.
A self-signed certificate (created with SelfCert.exe) is free and works on a single machine. Other machines must have the certificate manually added to their Trusted Publishers store, which doesn't scale. A commercial code signing certificate from a CA like DigiCert or Sectigo is trusted by all Windows machines automatically, making it the right choice for workbooks distributed across an organization.
Yes. Converting a file changes the container format, which invalidates the existing digital signature. After conversion, you must re-sign the VBA project with your certificate. LegacyLeaps preserves the VBA code during migration — you apply the signature as a post-migration step.
Practical fixes for legacy Excel and Access problems. No spam.