How to export DLP Office add-in certificate and distribute via GPO
Article ID: 203483
Updated On:
Products
Issue/Introduction
When Office requires signed add-ins it will disable any add-in that has not been trusted and give a security warning when Office opens a document. This is resolved by either of the following:
1. Manually trusting the add-in during a security prompt at Office startup.
2. Importing the certificate to the trust center.
This will also cause the Enforce console to report that the Office add-ins have been tampered with for the DLP agents.
When this issue occurs, you may also see a prompt with language similar to the following:
Excel is running into problems with the 'csa.officeaddin' add-in. If this keeps happening, disable this add-in and check for available updates. Do you want to disable it now?
Environment
DLP
MS Office
Cause
This happens when the DLP add-in certificate is not a trusted publisher and you have enabled the following Office setting:
Options > Trust Center > Trust Center Settings - Add-ins > Require Application Add-ins to be signed by Trusted Publisher
Resolution
To resolve this issue, the DLP add-in for Office first needs to be trusted on a machine and then a certificate can be exported. Once the certificate is exported it can be distribute to the network via GPO.
Trusting and Exporting the DLP certificate
Go to one of the machines where the DLP agent is installed and there is a security warning on Office (For this example we will use Word):
Go to File > Info
Click Enable Content > Advanced Options
Select "Enable all code published by this publisher" then click OK
Close the Office Application
Export the certificate for redistribution
Start Certificate Manager by opening Run > certmgr.msc
Go to Trusted Publisher > Certificates
Right click on "Symantec Corporation DigiCert Assured ID Code Signing CA-1"
Select All Tasks > Export
Save the certificate with your preferred format and name.
The certificate can be distributed using Microsoft Group Policy Object as instructed in the following:
After the GPO has been updated you may need to run "gpupdate /force" on the agents to get the update immediately or you can wait for natural distribution of the GPO.
To confirm the GPO is deployed open certmgr.msc and verify the Symantec Corporation certificate is located in the Trusted Publisher > Certificates.
Note: By adding the trusted publisher in this way it will resolve the Office security warning for all Office products, there will be no need to repeat this steps for the other Office products.
Additional Information
Feedback
