Blog Post

Microsoft Security Baselines Blog
4 MIN READ

Security Baseline for M365 Apps for enterprise v2306

Rick_Munck's avatar
Rick_Munck
Icon for Microsoft rankMicrosoft
Jun 29, 2023
Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2306. Please download the content from the Micr...
Updated Jun 29, 2023
Version 1.0
compliance
final
guides
microsoft 365
microsoft office
security
security baseline
security compliance toolkit
updates
JF9928's avatar
JF9928
Copper Contributor
Nov 29, 2023

I'm having a rough time working around the office baseline setting "Require that application add-ins are signed by Trusted Publisher".  I understand the process is to add the signing certificate of each add-in to the "Trusted Publishers" machine store.  But what I don't get is why add-ons that are part of the Office install aren't automatically trusted or at least there isn't an easy way to configure this.

 

In my experience, there are many certificates that need to be whitelisted for various features even within a single version of office.  And then these certificates may change as new versions of office are released each month.  I was up to 7 ms certificates when I gave up.  And there is no documentation about which certificates need to be trusted, so admins are forced to experiment with all of the different features of office each month... this just seems broken for features that are part of the office install.

 

I've also looked at setting the paths of the add-ins as trusted locations.  for example c:\Program Files\Microsoft Office\Root\Office16\Library in order to allow the excel analysis toolpak to be enabled.  But that isn't working either.

 

How are other organizations dealing with this?

 

MS solutions I can think of:

- have an install switch for office that adds all of the required MS certificates into the Trusted Publishers store

- document all of the certificates used to sign office builds (in a format admins can use to push them out as Trusted Publishers)

- sign office files with a single certificate good for 2 years

 

---update

The known issue from the v2206 baseline seems to still apply:

Known Issue: The Solver add-in that ships with Excel may not work properly with a certain security policy enabled... When the recommended security baselines policy "Prevent Excel from running XLM macros" is enabled, the Solver and Analysis ToolPak add-ins will not function properly. Functionality may be missing, and results may not be computed, even if the user is informed of a successful computation. A fix is in progress and workarounds, current status, and availability are included in the article.