Changes in the Security Model for Office Solutions (Mary Lee)

  • Comments 3

You can use two methods to trust an Office solution created in Visual Studio and not show a trust prompt to the end-user.

  1. Sign your Office solution with certificate that chains to a trusted root authority and is in the Trusted Publisher list.
  2. Sign your Office solution with a certificate and trust that certificate by using the inclusion list.

(There is a third option to use the ClickOnce trust prompt and allow the end-user to choose whether to trust and install the Office solution.)

The first option is still the same: sign Office solutions with a certificate from a certificate authority and then add the certificate to the Trusted Publisher list.

The second option has changed slightly in Visual Studio 2010 and the VSTO 2010 runtime. You can still use the inclusion list for Office 2007 and Office 2010 solutions, but you must target the .NET Framework 3.5 and reference the Microsoft.VisualStudio.Tools.Office.Runtime.v10.0 assembly.

For .NET Framework 4 developers, you can deploy your solutions by using Windows Installer (MSI) into the Program Files directory. Office solutions installed to the Program Files directory are now considered to be already trusted because installing to the Program Files directory requires administrator rights. As a result, the Microsoft Office application loads the Office solution without checking the inclusion list. In addition, eliminating the inclusion list check may reduce the loading time.

How does this affect me?

If you deploy an Office 2007 solution by using Windows Installer (MSI) on a computer with Office 2010 and the VSTO 2010 runtime, your installer may show the following error: Error 1001. Could not load file or assembly 'Microsoft.VisualStudio.Tools.Office.Runtime.v9.0, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.

This error appears because the Microsoft.VisualStudio.Tools.Office.Runtime.v9.0.dll assembly is not in the VSTO 2010 runtime. To work around this issue, you can complete one of the following steps:

  1. Update the inclusion list custom action to reference the Microsoft.VisualStudio.Tools.Office.Runtime.v10.0 assembly. At this point, you may have one installer for computers with Office 2007 and the VSTO 3 runtime, and a second installer for computers with Office 2010 and the VSTO 2010 runtime.
  2. Remove the inclusion list custom action from your MSI and install to the Program Files directory. The VSTO 2010 runtime considers all Office solutions installed to the Program Files directory to be trusted already, so the ClickOnce trust prompt does not appear.
  3. Install both the VSTO 3 runtime and VSTO 2010 runtime on the computer. This way, the correct assembly is located on the end-user computer, and the installer can create the inclusion list entry for the certificate.

Happy deployment!

Mary Lee, Programming Writer.

Leave a Comment
  • Please add 1 and 2 and type the answer here:
  • Post
  • Hi,

    It's really getting better and better - thanks!

    Kind regards,


  • I'm having problems with getting a VSTO add-in (created on Visual Studio 2008) identify its publisher on Word 2010. On Word 2007 everything works properly, but the same files (i.e. properly signed ones) on Word 2010 cause a warning about Unknown Publisher even though the add-in works just fine otherwise. VSTO 2010 runtime is installed and the certificate is added to Trusted Publishers, but the warning persists. Is there something I might have missed or are Office 2010 PIAs (which don't seem to be available yet) required for this? I tried also step 3, but VSTO 3 runtime couldn't be installed as the installer didn't find any valid products.

    Any help will be appreciated.

  • IlkkaV,

    I recommend that you post your question in the VSTO forum where it is easier to interact and investigate your problem.

    When do you post, please indicate if you are using the same certificate for both Word 2007 and Word 2010 solutions, if the certificate is from Thawte, and if you are using VS2010. This blog post is only about VS2010, so this information does not apply if you are only using VS2008.


Page 1 of 1 (3 items)

Changes in the Security Model for Office Solutions (Mary Lee)