Welcome to MSDN Blogs Sign in | Join | Help

Misha Shneerson

VSTO internals and the little things about CLR, COM, Visual Studio and more ...
Deploying your VSTO 2008 Add-In to All Users (Part III)

This post is both the continuation of part I and part II installments but it also addresses new product that has shipped since VSTO 2005 SE and this is VSTO 2008 (which is also known as VSTO 3.0 - see the complete matrix of VSTOs in this post by Andrew Whitechapel ).

Here is a quick recap of the last 2 episodes:
Traditionally Microsoft Office has allowed All Users installation of COM Add-Ins by the virtue of registering the add-in under HKLM\Software\Microsoft\Office\<Application>\AddIns registry key. There were few problems with managing HKLM add-ins - in particular non-admin users could not disable an add-in explicitly as well as crashing add-ins could not have been disabled automatically for such users. So, when managed add-ins were introduced in Office 2007 it was decided to break the cycle and disallow registering managed add-in under HKLM.

Today only those managed add-ins registered under HKCU registry hive are activated by Office 2007. This creates a different kind of problem - "how an administrator can deploy an Office add-in so that every user on the machine can use it?".

The part I post introduced an internal Office 2007 registry replication mechanism. The very sketchy part II post described, at a very high level, how to take advantage of the registry replication and modify the VSTO 2005 SE add-ins setup projects to be deployable to all users (The technique is a mixture of moving registry keys around in the deployment project itself coupled with creating custom actions similarly to those described in Darryn's VSTO 2005 SE deployment article). As a side note: I really should have invested more time into part II and make it a full walkthrough article. Now I am paying for my laziness since I need to answer a lot of "please clarify" comments on that post. But hey, on the flip side, trying to connect the sketchy pieces together and build the nice deployment package does build character - doesn't it?

If you are just learning this stuff - please understand there is no quick fix solution and before trying what I am going to describe below - please make sure to read all 4 articles I just mentioned: start with the deployment article (which by itself consists of 2 articles, then post I and post II).

VSTO 2008 significantly improves over VSTO2005SE deployment experience by introducing ClickOnce based deployment. The idea is that, as it is the case for ClickOnce deployment of Windows Forms project, you can now "publish" VSTO 2008 projects. This will create a setup.exe file you can give to your users to deploy your VSTO add-in.

The problem is that ClickOnce is also a per-user solution. Notice that there is no such thing as ClickOnce for All Users. And, if you are an administrator running a server and you want to deploy VSTO solution to all users on your server - you really need an MSI based setup project. This is, of course, not something we do anymore in VSTO 2008.

Let's see what can be done about it though. First of all, go and take a look into samples at http://code.msdn.microsoft.com/VSTO3MSI. These samples show how to create an MSI based deployment package for VSTO 3.0. The samples target single user - not All Users - but this is a very good start.

Key difference between VSTO 3.0 MSIs and VSTO 2.0 MSIs is that security model has changed. In VSTO 3.0 we no longer rely on CAS for security - both us and our users did have their share of problems with CAS so enough is enough. This was replaced with a concept of "Inclusion List" based security. Consequently, one of the things you will find in the site above is an InclusionListCustomActions - custom actions that call InclusionList APIs to pre-trust your solution.

So, now supposedly you have followed the VSTO3MSI samples and created an MSI based deployment package.

Next step for you is to follow general guidelines in the part II article and modify this solution to use Office's replication mechanism for All User deployment by moving registry entries from HKCU under HKLM\Software\Microsoft\Office\12.0\ User Settings\MyCompany.MyAddIn\Create registry key. Also, same post describes how to add a custom action to set up Count registry value the replication mechanism is based in and as well as handling the uninstallation of the add-in.

Next step is to remove the InclusionListCustomActions - these CAs are not good for All Users deployment.

But what do you need to do instead? Read on.

“Inclusion list” is just reg entries under HKEY_CURRENT_USER\Software\Microsoft\VSTO\Security\Inclusion – notice it is under HKCU not HKLM. The format of those registry entries is pretty self-describing – we use some random GUID to create a unique entry in the list, the entry contains the path to add-ins .vsto file and manifest's public key. Although "inclusion list" APIs create these registry entries for you but only under HKCU hive. That is not good for all users deployment. Instead your setup needs to install those registry keys into HKLM\Software\Microsoft\Office\12.0\ User Settings\MyCompany.MyAddIn\Create\Software\Microsoft\VSTO\Security\Inclusion and rely on Office’s replication mechanism to copy those into HKCU.

So, first go to HKEY_CURRENT_USER\Software\Microsoft\VSTO\Security\Inclusion and find the entry in the list that pre-trusts your solution. Export this entry into a .reg file. This file should look like this:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\VSTO\Security\Inclusion\30b8e0dd-8ff5-4828-a53b-4933424888fd]
"Url"="file:<SOMEPATH>/ExcelWorkbook1.vsto"
"PublicKey"="<RSAKeyValue><Modulus>nPAT3uo/l/ba+L74Am8cHuxNwe50oXwpVgdKyKQOjskBkZWMMb8vcFzN91NxMj3p7CehgQeGZNuuy64wmvwiFRRq20lKXca3Iv7dkWgED6rkG20EGp4je0E1LrxdwYQg5tj5OO0gn4+nXR201tBy2BuqV1hI1ydxCPNZ+jDX+Gk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"

Next, change the highlighted text to

HKEY_LOCAL_MACHINE\Software\Microsoft\Office\12.0\User Settings\<MyCompany.MyAddIn>\Create

Next, change <SOMEPATH>\    to     [TARGETDIR]  and save .reg file.

Your .reg file now should look something like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\12.0\User Settings\<MyCompany.MyAddIn>\Create\Software\Microsoft\VSTO\Security\Inclusion\30b8e0dd-8ff5-4828-a53b-4933424888fd]
"Url"="file:[TARGETDIR]ExcelWorkbook1.vsto"
"PublicKey"="<RSAKeyValue><Modulus>nPAT3uo/l/ba+L74Am8cHuxNwe50oXwpVgdKyKQOjskBkZWMMb8vcFzN91NxMj3p7CehgQeGZNuuy64wmvwiFRRq20lKXca3Iv7dkWgED6rkG20EGp4je0E1LrxdwYQg5tj5OO0gn4+nXR201tBy2BuqV1hI1ydxCPNZ+jDX+Gk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"

Go into your Visual Studio deployment project, open the Registry View, right click on "Registry on Target Machine" root node in the view and click "Import ..." to import the .reg file.

That's it - you should now have the functioning MSI based deployment package for VSTO 3.0 solution. Use it!

As usual, the post is not a complete walkthrgough and might be sketchy in parts - so if you have something to add or you have found a mistake in the post - please leave a comment.

Posted: Thursday, April 24, 2008 12:24 PM by Misha Shneerson
Filed under:

Comments

Deploying your VSTO 2008 Add-In to All Users (Part III) | MS Office Security Watch said:

PingBack from http://msofficesecurity.com/officesecurity/microsoft-office/deploying-your-vsto-2008-add-in-to-all-users-part-iii

# April 25, 2008 12:09 AM

OBA Ramblings said:

Over the past few weeks, I've attended and presented at a number of conferences (specifically VSLive,

# April 25, 2008 4:06 PM

See what I see. said:

I got ahead of myself and thought it was one week later than it really is (sort of good because I was

# April 29, 2008 9:18 PM

Open XML, VSTO, Deployment, .NET und anderes said:

Das Office 2007 Security Modell erlaubt es nicht, unter HKLM registrierte Managed Add-Ins zu verwenden.

# May 9, 2008 10:20 AM

Andrew Coates ::: MSFT said:

While the default mechanism for deploying VSTO v3 Add-Ins is ClickOnce, there there's now also a documented

# May 15, 2008 10:04 PM

dwarfnebula said:

Misha,

Thanks for this fantastic post.  I have it *almost* working with a custom Word Add-In (done in VSTO 3.0), except for one weird problem.  In the registry entry for the add-in under the HKCU hive, I set the value for the 'Manifest' entry to the '####.vsto|vstolocal' setting.  But as soon as I compile the installer, it changes the setting to the .dll.manifest file.  I can't seem to get around it.  Once I install it, if I change it back directly in the registry, everything works fine.  But I can't figure out how to get the build operation to leave that setting alone?  Any help would be greatly appreciated!

Thanks,

Gary

# May 20, 2008 6:33 PM

dwarfnebula said:

Misha,

Okay, I figured it out, but I'm not sure why this fixed it.  I was just comparing my settings to those of the VSTO 3.0 installer samples, and noticed something strange about how they named their add-in key.  What I had to do was change the name of the AddIn under the AddIns key.

The original key was: AddIns\BCG.Office.Greenhouse.WordAddIn

* This did not work (it is the same name as that of my add-in assembly)

I changed it to: AddIns\BCG Systems.BCG.Office.Greenhouse.WordAddIn

* The compiler then left this setting alone, and everything seems to work fine.

Really strange, but hopefully this will help someone else having this sort of issue.

Any insight to this behavior would be great.

Thanks again for this post, it's just what I needed,

Gary

# May 20, 2008 7:07 PM

Misha Shneerson said:

Hi Gary,

The solution you have found is absolutely correct :).

Some insights on why this is happening. This strange behavior is something that is left from previous versions of VSTO aka VSTO2005SE which did maintain setup projects - it is a bug and will be fixed by a service pack. The behavior there was that upon project recompilation we woud scan the current solution for any deployment projects, look for the registry key HKCU\Software\Microsoft\Office\<Application>\AddIns\<ProjectName> and update the registry values with the most up to date settings.

Obviously, if you went and renamed the reg key to something different from .....\<ProjectName> - our scanning code would not be able to make the connection and leave this registry key alone.

Now, if you are trying to get All-Users deployment working you might still have some work to do . Part of this article teslls to move all HKCU registry keys under HKLM\Software\Microsoft\Office\12.0\ User Settings\MyCompany.MyAddIn\Create hive. Once the reg keys are there - you should not be hitting this bug.

# May 20, 2008 7:30 PM

dwarfnebula said:

Misha,

Thanks for the quick response.  I followed your article, and migrated the key for security to the HKLM hive, and I get the all users deployment with no problem.  The install works so far on both XP, Server 2003, and Vista!  Vista was the main reason I wanted to go to VSTO 3.0 to get around that whole CASPOL nightmare.  This is the ideal solution!

Thanks again,

Gary

# May 20, 2008 8:32 PM

asurachman said:

Hi Mishaa,

Thank you for your articles. My Addins has been successfully deployed.  And also I have noticed that the application creates new record in GAC\download each time it is loaded.  The new one doesn't suppress the previous one.  

Please your suggestion how we can handle this.

Regards,

# June 8, 2008 10:10 PM

Misha Shneerson said:

Hello asurachman,

Sorry, but I do not understand what you mean by "application creates new record in GAC\download" and why this is a problem.

# June 9, 2008 2:27 AM

cyberbyber said:

Hi Misha, I am working on a VSTO2005SE based Word 2003 add-in. I developed it in VS2008. During development and testing everything was fine on my machine. I followed all the articles on deployment of application wide add-ins using deployment packages and have developed a deployment pack from the template generated by VS, that deploys the assembly for use by all users(by registering under the HKLM hive) and sets proper security settings in CAS, by granting full access to the strong name of the assembly.

But when I test it on a separate user station, even though the setup runs just fine, i do not see the menus that the add-in creates. In addition the LoadBehavior value in the registry switches from 3 to 2 after word opens, which according to the documentation is due to a failure upon loading the add-in. I examined the fusion logs, but there was not a single attempt of even trying to load the add-in assembly. I do not get any error messages in Word either. I even went a step further and extracted the necessery Office 2003 PIAs from the GAC and substituted the references that VS had created for me with them, just to be on the safe side on referencing the very same assemblies. VSTO as well as PIA were of course installed on the testing station prior to installing the add-in.

For me it seems that I have no means to find out what exaclty the cause of this failure might be and would be very thankful if you could come with some tips.

Both the development and testing environments are XP SP2 with Office 2003 Pro with Norwegian locale.

Thanks in advance!

Svetoslav

# June 25, 2008 7:59 AM

Misha Shneerson said:

Svetoslav, can you contact me offlne using the email link at top of this page?

# June 25, 2008 12:37 PM

Nas said:

My Addin for Outlook 2003 works great on XP machines but not on Terminal server. I am creating registry key under HKLM hives and on XP machines Loadbehavior values remains 3 but on Terminal server it is 2 after addin deployment. If I change it to 3, my Addin works but as soon as another outlook session starts on terminal server, loadbehavior switches to 2 and addin doesn't work at all.

I dont't have much knowldge about Addin deployment on terminal server. I think it is not code security issue as I have given FullTrust to addin. Should I create registry entry under HKLM or HKCU?  If HKCU then how I can create registry for all users?

Many thanks

# June 25, 2008 3:25 PM

Misha Shneerson said:

Hi Nas,

I am not sure how Terminal Servers come into play. It is possible thought that the add-in throws exceptions on startup - you can use VSTO_SUPPRESSDISPLAYALERTS setting to enfore failure logging or just attach a debugger under the failure scenario.

# June 27, 2008 4:15 AM

Nas said:

Hi Misha,

Many thanks for your response. I forgot to mention that my Addin is a shared IDTExtensibility2 based and not a VSTO one. I don't think so I can be able to use VSTO_SUPPRESSDISPLAYALERTS but do you know any other method or tool to trace Addin load failure.

Many thanks

# June 27, 2008 7:06 PM

Misha Shneerson said:

Debuggers work pretty well to trace failures :)

# June 27, 2008 7:22 PM

Nas said:

Hi Misha,

I found following article very helpful regarding COM Addin deployment for Office 2003 applications.

http://blogs.msdn.com/vsod/archive/2008/04/22/Troubleshootin g-com-add-in-load-failures.aspx

Thanks anyway for your prompt response.

# June 30, 2008 5:41 AM

Andy said:

Hi Misha,

Thank you for useful post.

But what about deploying Add-In to one standard user?

We have some Outlook Add-in and an installer for its deployment.

The installer works fine on XP and on Vista when I install it under an Administrator user account.

But, when I install it for a user without administrator privileges, it doesn't work.

If User Account Control (UAC) is off we have an error.

The error occurred at registration step.

Vista says: 'The module "MyAdd.dll" was loaded but the call to DllRegistredServer failed with error code 0x80004005'.

Running the installer via "Run as Administrator" (form the context menu) gives the same error.

If UAC is on, the "An unidentified program wants access to your computer" window appears.

We must type UserName and Password for some administrator.

As a result Add-In will be installed for this admin!!! Not for the target user!!!

Is it possible to make Add-In deployment for a user without administrator privileges?

Please, help!

Andy Blanch

P.S. NSI-installer is used for deployment.

The "RequestExecutionLevel highest" command in nsi-script has no effect.

# July 17, 2008 1:01 PM

Josh S. said:

I created an Outlook 2007 add in in VS 2005 for allUsers following all the steps you have described in previous articles.  It worked great.

Suddenly, the organization that I work for has rolled out a new image of Windows XP with I don't know what Office SP 2007, and the add in is no longer active.

I checked the registry and the registry keys were properly copied & the runtime security parameters appear to be correct.  

What would have changed that might have caused my add in to suddenly become inactive for allUsers.

Thanks

# July 24, 2008 5:08 PM

Misha Shneerson said:

Josh,

I am sorry but nothing rings a bell. If you wish you can contact me offline and we could try to troubleshoot it over email.

# July 25, 2008 12:53 AM

Andrew Coates ::: MSFT said:

I had a great time over the last couple of days hanging out with Christen Boyd and some of the other

# July 26, 2008 10:54 AM

Jon H. said:

Thanks for a very useful series of articles.  I have what is probably a very simple problem, I'm no doubt over looking something.  

I'm using VSTO3 with VS2008 and have created my own setup project.  After much reading I have my setup project with a custom action as described above calling the appropriate routines; I've added all the right project output into the setup project and manually included the .vsto and .manefest files which seem to be omitted as part of 'project output'.  The installer runs fine, copies the files, generates the 'create' registry key and the subsequent HKCU key appears as expected.  When I run Outlook, however, the addin doesn't appear.  If I double-click the .vsto and hit 'install' it works perfectly.

Could you tell me what double-clicking the vsto is doing that my installer isn't?

Many thanks for any assistance.

# August 11, 2008 10:06 AM

Jon H. said:

A bit more info, I've double checked and cleared out the old inclusion entries from development. It looks doesn't like the count value is being created in the addin 'create' key, however when I add this manually (and make sure the keys are being 'copied' to HKCU) Outlook still doesn't start up with my addin so my original question remains.

Many thanks.

# August 12, 2008 3:42 AM

Abhinav said:

Hi Misha,

I created a ribbon in Excel using VSTO 2008. My ribbon contains a button, on which I have provided screen tip & super tip as well as keyboard shortcut, after deploying it to excel; I am getting an extra tag in screen tip pop-up asking user to “Press F1 for more help”. While pressing F1 key it is opening MS online help; is it possible to customize this shortcut, I want a *.chm file to be opened which provide context help with perspective of my project.

# August 14, 2008 1:30 AM

Vitor Navarro said:

Hi Misha,

This is not related to the deploy to all but its related to vsto deployment.

It is possible to deploy an VSTO application without using a setup, .msi or any exe files, just by copying files or anything like it?

thx a lot.

# September 11, 2008 3:45 PM

Taryon said:

Hi Misha!

I used your articles (specially the Part III) and the http://msdn.microsoft.com/en-us/library/cc563937.aspx, parts 1 and 2.

My addin is for the outlook 2007 and it will be installed for just one user. This is a regular user and the installation needs to be done by the administrator.

Ok. In the registry view of my setup project, I create the keys for the HKCU with FriendlyName, LoadBehavior and Manifest, as you suggest and for the HKLM all the keys for the Inclusion.

When I install the addin in the target machine, The first one is created but the Inclusion isnt. If I create the Inclusion by manual, when i execute the outlook it asks me to install the addin, but it doesnt.

Could you help me?

Oh. If I install the Visual studio in this machine and compile the addin in it, it works fine.

thx in advance

# October 30, 2008 7:13 AM

Taryon said:

Hey, one more detail. The installation is not registering the formregions.

# October 30, 2008 7:43 AM

Misha Shneerson said:

Taryon,

I asked Kris Makey to look into your question and hre are some tips from Kris him:

This statement is a big clue to his problem:

"

Ok. In the registry view of my setup project, I create the keys for the HKCU with FriendlyName, LoadBehavior and Manifest, as you suggest and for the HKLM all the keys for the Inclusion.

"

Inclusion list only exists in the HKCU, if he's using the replication functionality he needs to check the "end result" on the user's machine, ignoring the add-in keys all-together.  

He might actually have better luck copying the certificate into the trusted publisher's store and the root certificate authority store.  He should discuss with the "administrator" this option though since putting "arbitrary" certificates is not recommended.

If he still needs help after investigating that he should try the following things:

Is he including the |vstolocal flag after the .vsto file in the manifest path?  

Is the .vsto file on an internet site for the user and did he sign with the temporary certificate (user needs to add the hosting website to trusted web sites list in internet options.  Or he needs to get a "valid" certificate.   If he's using vstolocal this may not work anyway, but I'm not 100% certain about that).

Has he tried setting VSTO_SUPPRESSDISPLAYALERTS = 0 so he'll get error messages, these may help him far more to debug the issue.

Is he installing to Windows XP or Server 2003 -> Are the PIA's installed?

# October 31, 2008 5:06 PM

Taryon said:

Hi Misha!

Thx for your attention.

1. I will try it with certificates. How I am the "admin" and the addin will be used in the internal network, I will use my own certificate because I do not need to be certified to my users, ok?

2. the replication funcionality is working ok.

3. yes, I am including the vstolocal flag

4. The PIA's are installed. 2007 in XP SP3 and Vista Clients

The workaround:

1. I install the vs2008 + SP1 + VSTO for the client into my profile then, compile and execute the addin one time.

2. after that, I create a directory in <drive>:\Program files\Microsoft\<addin> with the bin\debug stuff

3. Create the keys in registry for this

4. Working ok for the profile

5. After any change, I need to update the addin directory into the program files.

After that, I uninstall the vs2008

its ugly but works ok!

thx again for your cooperation!

# November 4, 2008 3:21 AM

Taryon said:

Hi Misha!

Using the VSTO_SUPPRESSDISPLAYALERTS=0 I got this:

************** Exception Text **************

System.Reflection.ReflectionTypeLoadException: Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

  at System.Reflection.Module._GetTypesInternal(StackCrawlMark& stackMark)

  at System.Reflection.Assembly.GetTypes()

  at Microsoft.Office.Tools.AddIn.CreateRibbonObjects()

  at Microsoft.Office.Tools.AddIn.GetRibbonObjects()

  at Microsoft.Office.Tools.AddIn.CreateRibbonExtensibilityObject()

  at Microsoft.Office.Tools.AddIn.get_RibbonExtensibility()

  at Microsoft.Office.Tools.AddIn.Initialize()

  at oSistema.ThisAddIn.Initialize()

  at Microsoft.VisualStudio.Tools.Office.EntryPointComponentBase.Microsoft.VisualStudio.Tools.Applications.Runtime.IEntryPoint.Initialize(IServiceProvider hostContext)

  at Microsoft.VisualStudio.Tools.Applications.AddInAdapter.ExecutePhase(ExecutionPhases executionPhases)

  at Microsoft.VisualStudio.Tools.Office.Internal.OfficeAddInAdapter.InitializeEntryPointsHelper()

# November 5, 2008 11:42 AM

Edward said:

Hi Misha,

Currently, I am working on a VSTO based Word 2003 Addins developed by using VS2005. The addins consists of 2 buttons on a Toolbar. One button to show a Form, and the other one to publish/upload the Word document to a remote directory. During development the addins works fine. Then I created a setup project for the add-ins. I installed it on several machine in my office and it works just fine. Well, the publish button works on Word 2003 runs on Windows XP, but not on Vista. But that's just a small problem I guess.

When I tried to install it on a Terminal Server, the toolbar did not show up. There was nothing wrong with the installation process. I made sure that the prerequisites are already installed (such as the Office PIA and VSTO Runtime). I even tried to install it locally from the terminal server but still no luck.

It seems our Word 2003 addins doesn't work under Vista and Terminal Server. Do you have any advice or sources of information about this?

I would be very thankful if you could help. Thanks in advance.

Edward

# January 7, 2009 10:52 AM

Misha Shneerson said:

Edward,

I am not sure what the issue is. Please contact me offline (use the email link at the top of this page) and we will see what can be done.

# January 8, 2009 12:19 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker