Policy
Allow root or intermediate certificates as VBA trusted publishers
This policy setting controls whether root and intermediate certificates can be added as trusted publishers for VBA macro validation when the VBA Macro Notification Settings policy is set to "Disable all except digitally signed macros". If you enable this policy setting, administrators can add root or intermediate certificates to the trusted publishers store. VBA macros signed by any certificate that chains to these trusted root or intermediate certificates will be considered as signed by a trusted publisher and allowed to run. If you disable or don't configure this policy setting, only end (leaf) certificates can be added as trusted publishers. Note: This policy setting only takes effect when the VBA Macro Notification Settings policy is set to "Disable all except digitally signed macros".
9fc55af529b1 L_VBADigSigChainTrustedPublishers Registry
Copy registry mappings
HKCU\software\policies\microsoft\office\16.0\common\security\vbadigsigchaintrustedpublishers (enabled) = 1
HKCU\software\policies\microsoft\office\16.0\common\security\vbadigsigchaintrustedpublishers (disabled) = 0Policy notes
This policy setting controls whether root and intermediate certificates can be added as trusted publishers for VBA macro validation when the VBA Macro Notification Settings policy is set to "Disable all except digitally signed macros". If you enable this policy setting, administrators can add root or intermediate certificates to the trusted publishers store. VBA macros signed by any certificate that chains to these trusted root or intermediate certificates will be considered as signed by a trusted publisher and allowed to run. If you disable or don't configure this policy setting, only end (leaf) certificates can be added as trusted publishers. Note: This policy setting only takes effect when the VBA Macro Notification Settings policy is set to "Disable all except digitally signed macros".