Manage Microsoft Trusted Publisher Certificates - Outlook Add-ins

%3CLINGO-SUB%20id%3D%22lingo-sub-1869655%22%20slang%3D%22en-US%22%3EManage%20Microsoft%20Trusted%20Publisher%20Certificates%20-%20Outlook%20Add-ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1869655%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20working%20on%20a%20Windows%2010%20MOE%20deployment%20that%20is%20using%20the%20Microsoft%20Security%20Baseline%20templates%20to%20provide%20a%20more%20secure%20environment.%20This%20includes%20the%20%22MSFT%20Office%20365%20ProPlus%201908%20-%20User%22%20baseline%2C%20which%20has%20the%20below%20picture%20setting%20that%20manages%20the%20loading%20of%20add-ins%20in%20Outlook%20(current%20on%20Semi-Annual%20Enterprise%20Channel%20build%202002%2C%20but%20toying%20with%20Monthly%20Enterprise%20Channel%202008).%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22O365%20Security%20Baseline%20-%20Outlook%20Add-ins.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F232460iCB8FF3818C37B21D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22O365%20Security%20Baseline%20-%20Outlook%20Add-ins.jpg%22%20alt%3D%22O365%20Security%20Baseline%20-%20Outlook%20Add-ins.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWith%20this%20setting%2C%20users%20get%20prompted%20to%20enable%20add-ins%20for%20%22Microsoft%20SharePoint%20Server%20Colleague%20Import%20Add-in%22%20(ColleagueImport.dll)%2C%20%22Microsoft%20Teams%20Meeting%20Add-in%20for%20Microsoft%20Office%22%20(Microsoft.Teams.AddinLoader.dll)%2C%20%22OneNote%20Notes%20about%20Outlook%20Items%22%20(ONBttnOL.dll)%2C%20%22Microsoft%20VBA%20for%20Outlook%20Add-in%22%20(OUTLVBA.dll)%20and%20%22Outlook%20Social%20Connector%202016%22%20(SOCIALCONNECTOR.dll).%20I%20could%20honestly%20do%20without%20the%20first%20one%20and%20the%20last%20one%20(although%20I've%20tried%20to%20use%20Group%20Policy%20to%20stop%20the%20Social%20Connector%20with%20no%20luck)%2C%20but%20the%20rest%20will%20be%20required.%3C%2FP%3E%3CP%3EFor%20each%20of%20the%20DLL's%2C%20I've%20extracted%20the%20Code%20Signing%20Certificate%20Microsoft%20uses%20to%20sign%20the%20DLL's%20and%20use%20Group%20Policy%20to%20import%20them%20as%20a%20%22Trusted%20Publisher%22%20certificate%20on%20the%20devices.%20Problem%20is%20that%20I've%20seen%20slight%20variations%20in%20these%20certificates%20(e.g.%20the%20same%20DLL%20might%20have%20been%20signed%20with%20a%20certificate%20with%20a%20serial%20number%20ending%20in%20325%2C%20and%20then%20one%20with%20a%20serial%20number%20ending%20in%20326).%20AND%2C%20the%20certificates%20are%20only%201%20year%20in%20expiration%2C%20meaning%20most%20likely%20needing%20to%20manage%20the%20certificates%20via%20Group%20Policy%20on%20a%20yearly%20basis.%3C%2FP%3E%3CP%3EMy%20question%20is%20this%20-%20is%20there%20any%20easy%20way%20to%20manage%20the%20Microsoft%20Code%20Signing%20Certificate%20updates%20easier%20that%20manually%20extracting%20the%20certificate%20and%20pushing%20via%20Group%20Policy%3F%20Would%20also%20appreciate%20if%20anyone%20has%20had%20luck%20disabling%20the%20Social%20Connector%20and%20SharePoint%20Server%20Colleague%20Import%20via%20Group%20Policy.%20I've%20also%20attached%20a%20Word%20document%20that%20shows%20each%20of%20the%20DLL's%20and%20SOME%20of%20the%20certificates%20used%20for%20signing%20(not%20the%20one's%20where%20there%20has%20been%20a%20slight%20variation%20in%20serial%20number).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMatt%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1869655%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%20for%20Windows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1869749%22%20slang%3D%22en-US%22%3ERe%3A%20Manage%20Microsoft%20Trusted%20Publisher%20Certificates%20-%20Outlook%20Add-ins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1869749%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20managed%20to%20find%20a%20GPO%20I%20can%20use%20to%20successfully%20disable%20the%20Colleague%20Import%20and%20Outlook%20Social%20Connector.%20So%20just%20needing%20to%20know%20about%20how%20to%20best%20managed%20the%20Trusted%20Publisher%20certificates.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mattgailer_0-1604967943539.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F232471iDF47DB15605C6E69%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22mattgailer_0-1604967943539.png%22%20alt%3D%22mattgailer_0-1604967943539.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I'm working on a Windows 10 MOE deployment that is using the Microsoft Security Baseline templates to provide a more secure environment. This includes the "MSFT Office 365 ProPlus 1908 - User" baseline, which has the below picture setting that manages the loading of add-ins in Outlook (current on Semi-Annual Enterprise Channel build 2002, but toying with Monthly Enterprise Channel 2008).

O365 Security Baseline - Outlook Add-ins.jpg

With this setting, users get prompted to enable add-ins for "Microsoft SharePoint Server Colleague Import Add-in" (ColleagueImport.dll), "Microsoft Teams Meeting Add-in for Microsoft Office" (Microsoft.Teams.AddinLoader.dll), "OneNote Notes about Outlook Items" (ONBttnOL.dll), "Microsoft VBA for Outlook Add-in" (OUTLVBA.dll) and "Outlook Social Connector 2016" (SOCIALCONNECTOR.dll). I could honestly do without the first one and the last one (although I've tried to use Group Policy to stop the Social Connector with no luck), but the rest will be required.

For each of the DLL's, I've extracted the Code Signing Certificate Microsoft uses to sign the DLL's and use Group Policy to import them as a "Trusted Publisher" certificate on the devices. Problem is that I've seen slight variations in these certificates (e.g. the same DLL might have been signed with a certificate with a serial number ending in 325, and then one with a serial number ending in 326). AND, the certificates are only 1 year in expiration, meaning most likely needing to manage the certificates via Group Policy on a yearly basis.

My question is this - is there any easy way to manage the Microsoft Code Signing Certificate updates easier that manually extracting the certificate and pushing via Group Policy? Would also appreciate if anyone has had luck disabling the Social Connector and SharePoint Server Colleague Import via Group Policy. I've also attached a Word document that shows each of the DLL's and SOME of the certificates used for signing (not the one's where there has been a slight variation in serial number).

 

Thanks

 

Matt

1 Reply

Have managed to find a GPO I can use to successfully disable the Colleague Import and Outlook Social Connector. So just needing to know about how to best managed the Trusted Publisher certificates.

 

mattgailer_0-1604967943539.png