How to export DLP Office add-in certificate and distribute via GPO

book

Article ID: 203483

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

When Office requires signed add-ins it will disable any add-in that has not been trusted and give a security warning when Office opens a document. This is resolved by either of the following:

1. Manually trusting the add-in during a security prompt at Office startup

2. Importing the certificate to the trust center

This will also cause the Enforce console to report that the Office add-ins have been tampered with for the DLP agents.

 

When this issue occurs, you may also see a prompt with language similar to the following:

Excel is running into problems with the 'csa.officeaddin' add-in. If this keeps happening, disable this add-in and check for available updates. Do you want to disable it now?

 

Cause

This happens when the DLP add-in certificate is not a trusted publisher and you have enabled the following Office setting:

Options > Trust Center > Trust Center Settings - Add-ins > Require Application Add-ins to be signed by Trusted Publisher

Environment

DLP

MS Office

Resolution

To resolve this issue, the DLP add-in for Office first needs to be trusted on a machine and then a certificate can be exported. Once the certificate is exported it can be distribute to the network via GPO.

Trusting and Exporting the DLP certificate

Go to one of the machines where the DLP agent is installed and there is a security warning on Office (For this example we will use Word):

Go to File > Info

 

Click Enable Content > Advanced Options

Select "Enable all code published by this publisher" then click OK

Close the Office Application

 

Export the certificate for redistribution

Start Certificate Manager by opening Run > certmgr.msc

Go to Trusted Publisher > Certificates

Right click on "Symantec Corporation DigiCert Assured ID Code Signing CA-1"

Select All Tasks > Export

Save the certificate with your preferred format and name.

The certificate can be distributed using Microsoft Group Policy Object as instructed in the following:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

After the GPO has been updated you may need to run "gpupdate /force" on the agents to get the update immediately or you can wait for natural distribution of the GPO.

To confirm the GPO is deployed open certmgr.msc and verify the Symantec Corporation certificate is located in the Trusted Publisher > Certificates.

Note: By adding the trusted publisher in this way it will resolve the Office security warning for all Office products, there will be no need to repeat this steps for the other Office products.

Additional Information

See also: Troubleshooting Office files and custom solutions with the telemetry log

Attachments