Configure inclusion list security
If you have Administrator permissions, you can configure the ClickOnce trust prompt to control whether end users are given the option of installing Office solutions by saving a trust decision to the inclusion list. For information about inclusion lists, see Trust Office solutions by using inclusion lists.
Applies to: The information in this topic applies to document-level projects and VSTO Add-in projects. See Features available by Office application and project type.
For solutions that are in each of five zones, you can set the following options:
Enable the ClickOnce Trust Prompt Key and the inclusion list. You can allow end users to grant trust to Office solutions that are signed with any certificate.
Restrict the ClickOnce Trust Prompt Key and the inclusion list. You can allow end users to install Office solutions that are signed with a certificate that identifies the publisher, but that is not already trusted.
Disable the ClickOnce Trust Prompt Key and the inclusion list. You can prevent end users from installing any Office solution that is not signed with an explicitly trusted certificate.
Enable the inclusion list
Enable the inclusion list for a zone when you want end users to be presented with the option of installing and running any Office solution that comes from that zone.
To enable the inclusion list by using the registry editor
Open the registry editor:
Click Start, and then click Run.
In the Open box, type regedt32.exe, and then click OK.
Find the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel
If the key does not exist, create it.
Add the following subkeys as String Value, if they do not already exist, with the associated values.
String Value subkey Value Internet AuthenticodeRequired UntrustedSites Disabled MyComputer Enabled LocalIntranet Enabled TrustedSites Enabled By default, Internet has the value AuthenticodeRequired and UntrustedSites has the value Disabled.
To enable the inclusion list programmatically
Create a Visual Basic or Visual C# console application.
Open the Program.vb or Program.cs file for editing and add the following code.
Microsoft.Win32.RegistryKey key; key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel"); key.SetValue("MyComputer", "Enabled"); key.SetValue("LocalIntranet", "Enabled"); key.SetValue("Internet", "AuthenticodeRequired"); key.SetValue("TrustedSites", "Enabled"); key.SetValue("UntrustedSites", "Disabled"); key.Close();Build and run the application.
Restrict the inclusion list
Restrict the inclusion list so that solutions must be signed with Authenticode certificates that have known identity before users are prompted for a trust decision.
To restrict the inclusion list
Open the registry editor:
Click Start, and then click Run.
In the Open box, type regedt32.exe, and then click OK.
Find the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel
If the key does not exist, create it.
Add the following subkeys as String Value, if they do not already exist, with the associated values.
String Value subkey Value UntrustedSites Disabled Internet AuthenticodeRequired MyComputer AuthenticodeRequired LocalIntranet AuthenticodeRequired TrustedSites AuthenticodeRequired By default, Internet has the value AuthenticodeRequired and UntrustedSites has the value Disabled.
To restrict the inclusion list programmatically
Create a Visual Basic or Visual C# console application.
Open the Program.vb or Program.cs file for editing and add the following code.
Microsoft.Win32.RegistryKey key; key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel"); key.SetValue("MyComputer", "AuthenticodeRequired"); key.SetValue("LocalIntranet", "AuthenticodeRequired"); key.SetValue("Internet", "AuthenticodeRequired"); key.SetValue("TrustedSites", "AuthenticodeRequired"); key.SetValue("UntrustedSites", "Disabled"); key.Close();Build and run the application.
Disable the inclusion list
You can disable the inclusion list so that end users can only install solutions that are signed with a trusted and known certificate.
To disable the inclusion list
Open the registry editor:
Click Start, and then click Run.
In the Open box, type regedt32.exe, and then click OK.
Create the following registry key if this does not already exist:
\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel
Add the following subkeys as String Value, if they do not already exist, with the associated values.
String Value subkey Value UntrustedSites Disabled Internet Disabled MyComputer Disabled LocalIntranet Disabled TrustedSites Disabled
To disable the inclusion list programmatically
Create a Visual Basic or Visual C# console application.
Open the Program.vb or Program.cs file for editing and add the following code.
Microsoft.Win32.RegistryKey key; key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel"); key.SetValue("MyComputer", "Disabled"); key.SetValue("LocalIntranet", "Disabled"); key.SetValue("Internet", "Disabled"); key.SetValue("TrustedSites", "Disabled"); key.SetValue("UntrustedSites", "Disabled"); key.Close();Build and run the application.
Related content
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for