You need to run a Word macro in an environment where AppLocker blocks unsigned scripts. Without a digital signature, AppLocker prevents VBA macros from executing, even if you wrote the macro yourself. This article explains how to obtain a code signing certificate, sign your VBA macro project, and configure Word so the signed macro runs under AppLocker rules. After reading, you will be able to deploy signed macros that pass AppLocker enforcement without disabling security policies.
Key Takeaways: Signing a Word VBA Macro for AppLocker
- Code signing certificate (PKI or self-signed): Required to digitally sign the VBA project; AppLocker trusts only signed macros from trusted publishers.
- VBA Editor > Tools > Digital Signature: The menu path in Word to attach a certificate to the active macro project.
- AppLocker Publisher Rule: A rule type that allows execution based on the certificate thumbprint, publisher name, and product name of the signed macro.
Why AppLocker Blocks Unsigned VBA Macros in Word
AppLocker is a Windows security feature that controls which applications and scripts can run on a system. When AppLocker is configured with an Executable Rules or Script Rules policy, it checks every file for a valid digital signature before allowing execution. VBA macros embedded in Word documents are treated as scripts under AppLocker. If the macro project is unsigned or signed by a publisher not in the trusted list, AppLocker blocks it entirely.
The root cause is that AppLocker cannot verify the origin of an unsigned macro. Without a signature, the policy treats the macro as untrusted code. This applies to all macro-enabled files (.docm, .dotm, .xlsm, .pptm) opened from any location, including local drives. Signing the macro project with a code signing certificate creates a verifiable chain of trust that AppLocker can evaluate against its publisher rules.
Prerequisites for Signing
Before you begin, verify the following:
- You have a code signing certificate. Options include a certificate from a public Certificate Authority (CA) like DigiCert or Sectigo, or a self-signed certificate created with the Windows SDK tool MakeCert or PowerShell cmdlet New-SelfSignedCertificate. Public CA certificates are recommended for production environments because they are automatically trusted by Windows.
- The certificate must be installed in the computer’s Personal certificate store under Current User or Local Machine.
- You have access to Word with the Developer tab enabled. Go to File > Options > Customize Ribbon and check the Developer box.
- You are working with a macro-enabled document (.docm or .dotm) that contains the VBA code you want to sign.
Steps to Sign a VBA Macro Project in Word
- Open the VBA Editor
In Word, press Alt+F11 to open the Visual Basic for Applications editor. Alternatively, click the Developer tab and then click Visual Basic. - Select the macro project to sign
In the Project Explorer pane on the left, click the project name that corresponds to your document. The project name usually matches the document filename. - Open the Digital Signature dialog
In the VBA Editor menu bar, click Tools > Digital Signature. This opens a dialog showing the current signature status of the project. - Choose a certificate
Click the Choose button. The Select Certificate dialog displays all code signing certificates installed in your Personal certificate store. Select the certificate you want to use and click OK. If the certificate is not listed, verify it is installed correctly and that it has code signing extended key usage. - Confirm the signature
Back in the Digital Signature dialog, the Certificate Name field now shows the subject name of the selected certificate. Click OK to apply the signature to the macro project. - Save and close the document
Save the macro-enabled document by pressing Ctrl+S or clicking File > Save. Close the VBA Editor. The signed document is now ready for distribution in an AppLocker-protected environment.
Configuring AppLocker to Trust the Signed Macro
After signing the macro, you must create an AppLocker publisher rule that allows execution based on the certificate. This step is performed by a system administrator on the target machine or via Group Policy.
- Open Local Security Policy
Press Win+R, type secpol.msc, and press Enter. Navigate to Security Settings > Application Control Policies > AppLocker. - Create a new Script Rules
Right-click Script Rules and select Create New Rule. Click Next on the Before You Begin page. - Set the action to Allow
On the Permissions page, select Allow. Ensure the User or group is set to Everyone or the applicable group. Click Next. - Select the Publisher condition
On the Conditions page, select Publisher as the rule condition. Click Next. - Browse to a signed document
Click Browse, locate the signed .docm file, and select it. AppLocker reads the digital signature and displays the publisher information. You can set the slider to any level: Publisher, Product Name, File Name, or File Version. For most environments, Publisher or Product Name is sufficient. Click Next. - Name and finish the rule
Give the rule a descriptive name, such as “Signed Word Macros from Company CA”. Click Create. The rule now allows any macro signed by that publisher to execute.
Common Issues After Signing Macros for AppLocker
The macro still does not run after signing
If AppLocker continues to block the signed macro, verify the following: The certificate used for signing must be present in the Trusted Publishers store on the target machine. Open certlm.msc (Local Machine certificates) or certmgr.msc (Current User certificates) and check that the CA certificate chain is installed under Trusted Root Certification Authorities and the code signing certificate is under Trusted Publishers. Also confirm that the AppLocker rule references the correct publisher and that the rule scope includes the user account opening the document.
Word shows “Digital signature is invalid” error
This error occurs when the certificate has expired or the signature was applied to a project that was modified after signing. Open the VBA Editor, go to Tools > Digital Signature, and verify the certificate expiration date. If the certificate is expired, obtain a new certificate and re-sign the project. Any code change after signing invalidates the signature, so always sign as the final step before distribution.
Self-signed certificate not trusted by AppLocker
Self-signed certificates are not automatically trusted by Windows. To use a self-signed certificate in an AppLocker environment, you must manually install its root certificate into the Trusted Root Certification Authorities store on every target machine. Use certlm.msc to import the .cer file. Without this step, AppLocker treats the signature as untrusted and blocks execution.
Self-Signed vs CA-Signed Certificate for VBA Macro Signing
| Item | Self-Signed Certificate | CA-Signed Certificate |
|---|---|---|
| Cost | Free | Annual fee from CA |
| Trust by default | Not trusted; requires manual installation on each machine | Trusted automatically if CA root is in Windows Trusted Root store |
| Deployment complexity | High; must distribute root certificate via Group Policy or manually | Low; no additional certificate distribution needed |
| Best for | Testing, small internal teams | Enterprise production environments |
Both certificate types produce a valid digital signature that AppLocker can evaluate. The key difference is the trust chain setup required for self-signed certificates.
You can now sign VBA macro projects in Word using a code signing certificate and configure AppLocker to allow those signed macros to run. Test the signed document on a machine with AppLocker enforced to confirm the publisher rule works as expected. For ongoing macro deployment, consider automating the signing process with a build script that uses the SignTool.exe command-line tool, which can sign Office macro projects without opening the VBA Editor manually.