How to: Configure the ClickOnce Trust Prompt

  • Article

You can configure the ClickOnce trust prompt to control whether end users are given the option of installing Visual Studio Tools for Applications solutions. You configure the trust prompt by setting registry keys on each end user's computer.

The following table shows the configuration options that can be applied to each of the five zones (Internet, UntrustedSites, MyComputer, LocalIntranet, and TrustedSites).

Option

Description

Enable the trust prompt.

You can allow end users to grant trust to Office solutions that are signed with any certificate.

Restrict the trust prompt.

You can allow end users to install Office solutions that are signed with a certificate that identifies the publisher.

Disable the trust prompt.

You can prevent end users from installing any Office solution that is not signed with an explicitly trusted certificate.

Enabling the ClickOnce Trust Prompt

Enable the trust prompt for a zone when you want end users to be presented with the option of installing and running any signed Visual Studio Tools for Applications solution that comes from that zone.

To enable the ClickOnce trust prompt by using the registry editor

  1. Open the registry editor:

    1. Click Start, and then click Run.

    2. In the Open box, type regedt32.exe, and then click OK.

  2. Find the following registry key:

    \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel

    If the key does not exist, create it.

  3. Add the following subkeys as String Value, if they do not already exist, with the associated values shown in the following table.

    String Value subkey

    Value

    Internet

    AuthenticodeRequired

    UntrustedSites

    Disabled

    MyComputer

    Enabled

    LocalIntranet

    Enabled

    TrustedSites

    Enabled

    By default, Internet has the value AuthenticodeRequired and UntrustedSites has the value Disabled.

To enable the ClickOnce trust prompt programmatically

  1. Create a Visual Basic or Visual C# console application in Visual Studio.

  2. Open the Program.vb or Program.cs file for editing and add the following code.

    Dim key As Microsoft.Win32.RegistryKey
key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel")
key.SetValue("MyComputer", "Enabled")
key.SetValue("LocalIntranet", "Enabled")
key.SetValue("Internet", "AuthenticodeRequired")
key.SetValue("TrustedSites", "Enabled")
key.SetValue("UntrustedSites", "Disabled")
key.Close()

    Microsoft.Win32.RegistryKey key;
key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel");
key.SetValue("MyComputer", "Enabled");
key.SetValue("LocalIntranet", "Enabled");
key.SetValue("Internet", "AuthenticodeRequired");
key.SetValue("TrustedSites", "Enabled");
key.SetValue("UntrustedSites", "Disabled");
key.Close();

  3. Build and run the application.

Restricting the ClickOnce Trust Prompt

Restrict the trust prompt so that solutions must be signed with Authenticode certificates that have known identity before users are prompted for a trust decision.

To restrict the ClickOnce trust prompt by using the registry editor

  1. Open the registry editor:

    1. Click Start, and then click Run.

    2. In the Open box, type regedt32.exe, and then click OK.

  2. Find the following registry key:

    \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel

    If the key does not exist, create it.

  3. Add the following subkeys as String Value, if they do not already exist, with the associated values shown in the following table.

    String Value subkey

    Value

    UntrustedSites

    Disabled

    Internet

    AuthenticodeRequired

    MyComputer

    AuthenticodeRequired

    LocalIntranet

    AuthenticodeRequired

    TrustedSites

    AuthenticodeRequired

    By default, Internet has the value AuthenticodeRequired and UntrustedSites has the value Disabled.

To restrict the ClickOnce trust prompt programmatically

  1. Create a Visual Basic or Visual C# console application in Visual Studio.

  2. Open the Program.vb or Program.cs file for editing and add the following code.

    Dim key As Microsoft.Win32.RegistryKey
key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel")
key.SetValue("MyComputer", "AuthenticodeRequired")
key.SetValue("LocalIntranet", "AuthenticodeRequired")
key.SetValue("Internet", "AuthenticodeRequired")
key.SetValue("TrustedSites", "AuthenticodeRequired")
key.SetValue("UntrustedSites", "Disabled")
key.Close()

    Microsoft.Win32.RegistryKey key;
key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel");
key.SetValue("MyComputer", "AuthenticodeRequired");
key.SetValue("LocalIntranet", "AuthenticodeRequired");
key.SetValue("Internet", "AuthenticodeRequired");
key.SetValue("TrustedSites", "AuthenticodeRequired");
key.SetValue("UntrustedSites", "Disabled");
key.Close();

  3. Build and run the application.

Disabling the ClickOnce Trust Prompt

You can disable the trust prompt so that end users are not given the option to install solutions that are not already trusted in their security policy.

To disable the ClickOnce trust prompt by using the registry editor

  1. Open the registry editor:

    1. Click Start, and then click Run.

    2. In the Open box, type regedt32.exe, and then click OK.

  2. Find the following registry key:

    \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel

    If the key does not exist, create it.

  3. Add the following subkeys as String Value, if they do not already exist, with the associated values shown in the following table.

    String Value subkey

    Value

    UntrustedSites

    Disabled

    Internet

    Disabled

    MyComputer

    Disabled

    LocalIntranet

    Disabled

    TrustedSites

    Disabled

To disable the ClickOnce trust prompt programmatically

  1. Create a Visual Basic or Visual C# console application in Visual Studio.

  2. Open the Program.vb or Program.cs file for editing and add the following code.

    Dim key As Microsoft.Win32.RegistryKey
key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel")
key.SetValue("MyComputer", "Disabled")
key.SetValue("LocalIntranet", "Disabled")
key.SetValue("Internet", "Disabled")
key.SetValue("TrustedSites", "Disabled")
key.SetValue("UntrustedSites", "Disabled")
key.Close()

    Microsoft.Win32.RegistryKey key;
key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel");
key.SetValue("MyComputer", "Disabled");
key.SetValue("LocalIntranet", "Disabled");
key.SetValue("Internet", "Disabled");
key.SetValue("TrustedSites", "Disabled");
key.SetValue("UntrustedSites", "Disabled");
key.Close();

  3. Build and run the application.

See Also

Concepts

Securing and Deploying Add-Ins

Securing Add-ins by Using ClickOnce

How to: Sign Application and Deployment Manifests with Mage.exe

Deploying Add-ins by Using ClickOnce

Walkthrough: Integrating ClickOnce for a Managed Object Model

Other Resources

Visual Studio Tools for Applications 2.0