Plan Trusted Publishers settings for Office 2010

 

Applies to: Office 2010

Topic Last Modified: 2011-07-08

Banner stating end of support date for Office 2010 with link to more info

You can use the Trusted Publishers list to designate content publishers that you trust. This can be beneficial if your organization uses published content, such as Microsoft ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros.

A publisher is any developer, software company, or organization that has created and distributed a digitally signed ActiveX control, add-in, or VBA macro. A trusted publisher is any publisher that has been added to the Trusted Publishers list. When a user opens a file, and the file contains active content that is created by a trusted publisher, the trusted publisher’s content is enabled and users are not notified about any potential risks that might be contained in the file.

In this article:

  • About planning Trusted Publishers settings

  • Obtain certificates from known publishers

  • Determine which certificates must be added to the Trusted Publishers list

  • Related Trusted Publishers settings

About planning Trusted Publishers settings

To designate a publisher as a trusted publisher, you have to add the publisher’s certificate to the Trusted Publishers list. In this context, the publisher’s certificate is the digital certificate (.cer file) that the publisher used to digitally sign their published content. In most cases, you can obtain the .cer file from the publisher, or you can export it from the .cab, .dll, .exe, or .ocx file that is associated with the published content. If you are unsure which published content the organization uses, you might also have to determine whether any other published content runs with the organization’s Microsoft Office 2010 applications and then obtain certificates for that published content.

There are two methods you can use to add a publisher’s certificate to the Trusted Publishers list: the Office Customization Tool (OCT) or Group Policy. The OCT provides no settings for managing certificates other than adding a trusted publisher’s certificate to the Trusted Publishers list. If you want to manage certificate trust or if you want to establish specific trust relationships to satisfy business scenarios, you must use Group Policy. For more information about how to add trusted publishers to the Trusted Publishers list and how to manage trusted root certificates, see Manage Trusted Root Certificates (https://go.microsoft.com/fwlink/p/?LinkId=164939) and Manage Trusted Publishers (https://go.microsoft.com/fwlink/p/?LinkId=164941).

Obtain certificates from known publishers

You can usually obtain a certificate for published content by asking the publisher to send it to you. If you cannot obtain the certificate in this manner, and you know the name of the digitally signed .cab, .dll, .exe, or .ocx file that contains the published content, you can use the following procedure to export the certificate file.

Important

This procedure assumes the computer runs the Windows Vista operating system.

To export a certificate from a .dll file

  1. Right-click the file that the publisher has signed, and then click Properties.

  2. Click the Digital Signatures tab.

  3. In Signature list, click the certificate, and then click Details.

  4. In the Digital Signature Details dialog box, click View Certificate.

  5. Click the Details tab, and then click Copy to File.

  6. On the Certificate Explore Wizard welcome page, click Next.

  7. On the Export File Format page, click DER encoded binary X.509 (.CER), and then click Next.

  8. On the File to Export page, type a path and name for the .cer file, click Next, and then click Finish.

Make sure that you save all of the .cer files on a network share that can be accessed by client computers during installation.

Determine which certificates must be added to the Trusted Publishers list

In some cases, you might not know whether an organization uses published content or you might not know which published content to add to the Trusted Publishers list. This is usually relevant only if you have a highly restrictive environment and you require that all published content be signed. You can test Office 2010 applications for digitally signed content by using the following procedure.

Important

The following procedure assumes Word 2010 is running, but you can perform the same procedure on other Office 2010 applications.

To identify published content and add the content publisher to the Trusted Publishers list

  1. On a test computer or a client computer that is running the standard configuration for the organization (including any add-ins that users need), enable the Require Application Add-Ins to be signed by Trusted Publisher setting in the Trust Center by doing the following:

    • Click the File tab, click Options, click Trust Center, click Trust Center Settings, click Add-ins, click Require Application Add-ins to be signed by Trusted Publisher, and then click OK.
  2. Exit and restart Word. If add-ins are installed, the Message Bar displays the following message: Security Warning Some active content has been disabled. Click here for more details..

  3. On the Message Bar, click Some active content has been disabled. Click here for more details..

  4. Click the File tab and in the Backspace View, click Enable Content, and then click Advanced Options.

  5. In the Security Alerts – Multiple Issues dialog box, install each certificate to the Trusted Publishers list by following these steps for each add-in that shows a valid digital signature:

    1. Click Show Signature Details.

    2. In the Digital Signature Details window, click View Certificate.

    3. In the Certificate window, click Install Certificate.

    4. In the Certificate Import Wizard, click Next, click Place all certificates in the following store, click Browse, click Trusted Publishers, click OK, click Next, and then click Finish.

  6. Prepare the certificate files for distribution:

    1. Click the File tab, click Options, click Trust Center, click Trust Center Settings, and then click Trusted Publishers.

    2. For each certificate, select the certificate, click View, and then follow these steps:

      1. In the Certificate window, on the Details tab, click Copy to File.

      2. In the Certificate Export Wizard, click Next, and then click Next again to accept the default file format, enter a file name, select a location to store the file, and then click Finish.

The following settings are often used with Trusted Publishers settings:


  • Require that application add-ins are signed by trusted publisher

    This setting restricts add-ins to only those that are signed by a trusted publisher.


  • Disable Trust Bar notification for unsigned application add-ins

    This setting prevents users from seeing Message Bar warnings about add-ins that are not signed by a trusted publisher.


  • VBA macro warning settings

    This setting restricts VBA macros to only those that are signed by a trusted publisher.


  • Disable all ActiveX

    This setting restricts ActiveX controls to only those that are signed by a trusted publisher.

Note

For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool (https://go.microsoft.com/fwlink/p/?LinkID=189316&clcid=0x409) download page.