Require that application add-ins are signed by Trusted Publisher

This policy setting controls whether add-ins for the specified 2007 Office applications must be digitally signed by a trusted publisher.

If you enable this policy setting, the specified applications check the digital signature for each add-in before loading it. If an add-in does not have a digital signature, or if the signature did not come from a trusted publisher, the application disables the add-in and notifies the user.

If you disable or do not configure this policy setting, 2007 Office applications do not check the digital signature on application add-ins before opening them. If a dangerous add-in is loaded, it could harm users' computers or compromise data security.

Enabling this policy setting could cause disruptions for users who rely on add-ins that are not signed by trusted publishers. These users will either have to obtain signed versions of such add-ins or stop using them.

Microsoft provides four certificates for the 2007 Office release, which you can add to the Trusted Publishers list. These certificates must be added to the Trusted Publishers list if you require that all add-ins be signed by a trusted publisher. If you do not add these certificates to the Trusted Publishers list and you require that all add-ins be signed by a trusted publisher, users might see Message Bar notifications and dialog box notifications when they use various applications and application features. These notifications display because some applications use built-in add-ins that ship with the 2007 Office release. If the certificates for these add-ins are not added to the Trusted Publishers list and the add-ins are invoked, the add-ins are disabled and users are prompted to enable them. The Microsoft certificates are named Mscert01.cer, Mscert02.cer, Mscert03.cer, Mscert04.cer, and can be found on the Microsoft Web site.

The 2007 Office release stores certificates for trusted publishers in the Internet Explorer trusted publisher store. Earlier versions of Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. The 2007 Office release still reads trusted publisher certificate information from the Office trusted publisher store, but it does not write information to this store. Therefore, if you created a list of trusted publishers in a previous version of Office and you upgrade to the 2007 Office release, your trusted publisher list will still be recognized. However, any trusted publisher certificates that you add to the list will be stored in the Internet Explorer trusted publisher store.

For more information about trusted publishers, see the following documentation:

*Microsoft Office Online article: "Add, remove, or view a trusted publisher" (http://r.office.microsoft.com/r/rlidGroupPolicyTrustedPub?clid=en-us)

*Microsoft Knowledge Base article: "How To Use Software Restriction Policies in Windows Server 2003" (http://r.office.microsoft.com/r/rlidGroupPolicyTrustedPub2?clid=en-us)

*Microsoft TechNet article: "Using Software Restriction Policies" (http://r.office.microsoft.com/r/rlidGroupPolicyTrustedPub3?clid=en-us)

*Chapter 6: "Software Restriction Policy for Windows XP Clients" in the Windows XP Security Guide on Microsoft TechNet (http://r.office.microsoft.com/r/rlidGroupPolicyOfficeSecGuide?clid=en-us)

Supported on: At least Windows Vista

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Office\12.0\Visio\Security
Value NameRequireAddinSig
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

visio12.admx

Administrative Templates (Computers)

Administrative Templates (Users)