Trusted Publisher

Trusted Publisher automatically authorizes software installers, updates, and new applications to execute when they have been signed by trusted certificates. The software executes when the user executes it, with no action needed from you.

When a Trusted Publisher policy is assigned, any application may run as long as the initial executable is signed with a certificate in the policy. The policy doesn't update the endpoint whitelist.

  • Since Trusted Publisher doesn't update the endpoint whitelist, only use it to install applications that don't modify core system files or Dynamic Link Libraries (DLLs) that are shared with other applications. If the installation causes system files or DLLs to update, the applications sharing those files may no longer execute. This problem could occur, for example, if the whitelisted files get replaced by unsigned DLLs.

  • Trusted Updater should be your default policy for installing and updating applications. Only use Trusted Publisher when you can't use a Trusted Updater policy for a specific application.

When to Use Trusted Publisher

We recommend using Trusted Publisher to authorize the following software:

  • Cloud-distributed applications that do not reside on the disk until they are executed, such as WebEx and GoToMeeting. These are signed ActiveX controls that are downloaded into a browser

  • Browser plugins, which generally do not have updater tools

  • In-house signed custom applications

    The file that is authorized to execute is allowed to load all dependent processes; they don't need to be signed. Only the initial executable must be signed.

Be Aware of Multiple Certificates

Most software vendors have multiple certificates, but not all certificates for the same vendor are authorized. Only the specific certificates in the Trusted Publisher policy are authorized. If an executable that you expect to be authorized is blocked, check to see if the certificate matches the certificate in the policy. If the certificates are different, add the missing certificate to the policy.

Create A Trusted Publisher Policy

  1. From the Endpoint Security Console, select Manage > Application Control Policies.

  2. Click the Trusted Change tab.

  3. Select Create > Trusted Publisher to open the Trusted Publisher wizard.

  4. Progress through the wizard. See Creating a Trusted Publisher Policy in the Application Control Help for detailed steps.