Troubleshooting Microsoft Office Customization Installer "Unknown Publisher" message

Windows prompts this message when an unknown (unsigned) program tries to write data to protected system folders or the registry and the User Account Control (UAC) is seeking permission for it. Usually UAC finds Templafy's trusted publisher certificate that is part of the Templafy Desktop packages, but every now and than this certificate gets corrupted or not recognized. Its really difficult to say why this happens since Windows does not seem to log this information.

First, confirm if the certificate is correctly installed on the machine:

1. Navigate to the Windows Certificate manager, type "User certificate manager" in windows search bar.
2. Click on Trusted Publishers -> Certificate -> Templafy ApS
3. Select Certification Path -> Templafy Aps

Case 1

Perform the following steps on a machine where the Windows Customization Installer message is not displaying:

1. In Windows search type "Manage user certificates" -> Trusted Publishers -> Certificates.

2. From the list double-click on "Templafy Aps" -> Details -> Copy to file.

3. Go trough the Export wizard

4. When asked about the format select either option with .CER extension.

5. Save the file and name it similar to "Templafy Trusted Publisher certificate"

6. When you have exported certificate open the "Templafy Aps" certificate -> Certification Path 

7. From the list double-click on "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" -> Details -> Copy to File

8. Repeat the steps (3-4) as for the first certificate and name the certificate similar to "Intermediate certificate"

9. From the list double-click on "DigiCert Trusted Root G4" -> Details -> Copy to File

10. Repeat the steps (3-4) as for the first and second certificate and name the certificate similar to "Root certificate"

11. Forward these three certificates to the client, where they should deploy these three certificates trough Security Baseline or by using GPO.

Case 2 

It can also be possible that the certificate revocation list (CRL) is being blocked. This means that the Templafy signing certificate can not be verified weather or not the Templafy certificate is prematurely expired, resulting in the message.

To resolve the issue, the you need to whitelist the CRL: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl 

http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl 

This can be check by opening "Event Viewer" -> Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Right click "Operational" -> Enable Log

Launch PowerPoint (or another Office application), then head back to "Operational" tab. There should be a list of log files and an error log entry matching the timestamp of when the Office application was opened.  

Case 3

In situations where case 1 and 2 have not worked it is a good idea to make sure the library add-in version is 7.1.99 or higher. From this version, there have been made some improvements to the signing process.  More concretely, we now sign the DLL's before updating the DLL manifest and we specify a publisher when signing the VSTO files.