Trusting Office Solutions by Using Inclusion Lists
Inclusion lists enable users to grant trust to Office solutions that are signed with a certificate that identifies the publisher. Inclusion lists are user-specific, and they can be used for document-level customizations and application-level add-ins.
Applies to: The information in this topic applies to document-level projects and application-level projects for Microsoft Office 2013 and Microsoft Office 2010. For more information, see Features Available by Office Application and Project Type.
When a user starts an Office solution that has not been granted trust for that user, the Microsoft Office solution prompts him or her for a security decision with a ClickOnce trust prompt. If the user decides to trust the solution, the customization runs and the user is not prompted the next time.
Installing Office solutions into the Program Files directory by using Windows Installer requires administrator rights. For Office solutions in the Program Files directory, the Visual Studio 2010 Tools for Office Runtime no longer checks the inclusion list because the Office solutions have already been granted FullTrust permission.
By using the ClickOnce implementation for Office solutions, administrators can configure the trust prompt level to allow prompting, disable prompting, or require a trusted certificate. This configuration is done by using a registry key that controls access to the inclusion list.
If prompting is disabled, only solutions that have a trusted and known certificate can be installed. If the prompting level is set to Authenticode required, the solution must be signed with a certificate from a known authority, but it does not require a certificate that chains to a trusted root authority (a trusted certificate). If prompting is allowed, the solution could be signed with a certificate with an unknown identity. In this scenario, the trust decision is deferred to the end user, and a temporary certificate would be sufficient to install a solution.
A valid inclusion list entry has two parts: a path to the deployment manifest, and the public key used to sign the solution. After a solution is added to the inclusion list, it is considered trusted. When the Office solution runs, the Office application compares the public key in the inclusion list with the signing key in the deployment manifest to verify that the solution that is currently running is the same as the original trusted version.