Plan security settings for add-ins for Office 2010
Applies to: Office 2010
Topic Last Modified: 2011-08-05
If you want to control the way add-ins behave, or prevent users from running add-ins, you can modify Microsoft Office 2010 add-in settings.
In this article:
About planning add-in settings
Disable add-ins on a per-application basis
Require that application add-ins are signed by trusted publisher
Disable notifications for unsigned add-ins
About planning add-in settings
Microsoft Office 2010 provides several settings that enable you to control the behavior of add-ins. By configuring these settings, you can do the following:
Disable add-ins on a per-application basis.
Require that add-ins are signed by a trusted publisher.
Disable notifications for unsigned add-ins.
Add-in settings can be configured only on a per-application basis. There are no global add-in settings.
For detailed information about the settings that are discussed in this article, see Security policies and settings in Office 2010. For information about how to configure security settings in the Office Customization Tool (OCT) and the Office 2010 Administrative Templates, see Configure security for Office 2010.
By default, any add-in that is installed and registered can run without user intervention or warning. Installed and registered add-ins can include the following:
Component Object Model (COM) add-ins
Visual Studio Tools for Office (VSTO) add-ins
Automation add-ins
RealTimeData (RTD) servers
Application add-ins (for example, .wll, .xll, and .xlam files)
XML expansion packs
XML style sheets
This default behavior is the same as selecting the Trust all installed add-ins and templates setting in Microsoft Office 2003 or an earlier Microsoft Office system.
Disable add-ins on a per-application basis
Office 2010 provides a setting that enables you to disable add-ins. Use the following guidelines to determine whether to use this setting.
Setting name: Disable all application add-ins
Description: This setting disables all add-ins. By default, all installed and registered add-ins can run.
Impact: If you enable this setting, add-ins are disabled and users are not notified that add-ins are disabled. Enabling this setting could cause significant disruptions for users who work with add-ins. If users have business-critical add-ins installed, you might be unable to enable this setting.
Guidelines: Most organizations use the default configuration for this setting and do not change this setting.
Require that application add-ins are signed by trusted publisher
Office 2010 provides a setting that enables you to require that all add-ins be signed by a trusted publisher. Use the following guidelines to determine whether to use this setting.
Setting name: Require that application add-ins are signed by trusted publisher
Description: This setting controls whether add-ins must be digitally signed by a trusted publisher. By default, the publisher of an add-in does not have to be on the Trusted Publishers list for an add-in to run.
Impact: When you enable this setting, add-ins that are signed by a publisher that is on the Trusted Publishers list will run without notification. Unsigned add-ins and add-ins that are signed by a publisher that is not on the Trusted Publishers list will be disabled. But users are prompted to enable the add-ins. Enabling this setting could cause disruptions for users who rely on add-ins that are not signed by trusted publishers. These users will either have to obtain signed versions of such add-ins or stop using them.
Guidelines: Organizations that have a highly restrictive security environment typically enable this setting.
Disable notifications for unsigned add-ins
Office 2010 provides a setting that enables you to prevent users from seeing Message Bar warnings when unsigned add-ins are not able to run. Use the following guidelines to determine whether to use this setting.
Setting name: Disable Trust Bar Notification for unsigned application add-ins
Description: This setting controls whether to notify users when unsigned application add-ins are loaded or silently disable such add-ins without notification. By default, a warning appears in the Message Bar when an unsigned add-in attempts to run.
Impact: If you enable this setting, users will not see a warning in the Message Bar when an unsigned add-in attempts to run and users will be unable to enable the unsigned add-in. Enabling this setting could cause disruptions for users who rely on add-ins that are not signed by trusted publishers. These users will either have to obtain signed versions of such add-ins or stop using them.
Guidelines: Organizations that have a highly restrictive security environment typically enable this setting if they require all add-ins be signed by a trusted publisher.
Note
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool (https://go.microsoft.com/fwlink/p/?LinkID=189316&clcid=0x409) download page.