You need a Word template that contains macros but your organization uses AppLocker to block untrusted VBA code. AppLocker restricts which files can run macros based on publisher rules, path rules, or hash rules. When a template is not signed or stored in an allowed location, Word disables the macros silently or blocks the file entirely. This article explains how to create a .dotm template with embedded macros that AppLocker allows, using code signing and the correct file path.
Key Takeaways: Creating an AppLocker-Compliant Word Macro Template
- Sign the VBA project with a code signing certificate from a trusted CA: AppLocker’s publisher rule allows macros signed by a trusted publisher to run without restriction.
- Save the .dotm template to a path allowed by AppLocker’s path rule: For example,
C:\Program Files\Microsoft Office\Templates\or a custom IT-approved folder. - Use the Trust Center to set macro security to “Disable all macros except digitally signed macros”: This ensures only your signed template’s macros run while all unsigned macros are blocked.
Why AppLocker Blocks Macros in Word Templates
AppLocker is a Windows security feature that controls which applications and scripts can run on a device. For Office files, AppLocker evaluates the VBA macro code inside .docm, .dotm, and .xlsm files. It uses three types of rules: publisher rules that check the digital signature of the macro project, path rules that allow or deny execution based on the file’s folder location, and hash rules that match the file’s hash value.
When a user opens a .dotm template that contains macros, Word checks the macro security settings in the Trust Center. If AppLocker is enforced, Word also queries the AppLocker policy. If the macro project is not signed by a trusted publisher or the file is not in an allowed path, AppLocker prevents the macros from running. The user may see a security warning that says “Macros have been disabled” or the file may be blocked entirely with an error message stating that the file is not trusted.
The root cause is that the template either lacks a valid digital signature on its VBA project, is stored in a location not covered by an AppLocker path rule, or both. To comply with AppLocker, you must address both the signing requirement and the path requirement.
Steps to Create a Word Template With Embedded Macros That AppLocker Allows
Follow these steps to create a .dotm template, add macros, sign the VBA project, and save it to an AppLocker-compliant location.
Step 1: Create a New Word Template and Enable Macros
- Open Word and create a new blank document
Launch Word. Click File > New > Blank document. This gives you a fresh file to design your template. - Save the file as a macro-enabled template
Click File > Save As. In the Save as type dropdown, select Word Macro-Enabled Template (dotm). Choose a temporary folder like your Desktop for now. Name the file and click Save. - Open the Visual Basic for Applications editor
Press Alt+F11 to open the VBA editor. In the Project Explorer pane, locate your template project. It will be named something like TemplateProject. - Insert a module and write your macro
In the VBA editor, click Insert > Module. A new code module appears. Paste or type your VBA macro code into the module. For example, a simple macro that inserts the current date:
Sub InsertDate()
Selection.InsertDateTime DateTimeFormat:="MMMM d, yyyy", _
InsertAsField:=False
End SubStep 2: Sign the VBA Project With a Code Signing Certificate
- Obtain a code signing certificate from a trusted CA
Purchase a code signing certificate from a public Certificate Authority such as DigiCert, GlobalSign, or Sectigo. The certificate must be for code signing (not SSL). Install it on the computer where you will sign the template. - Open the Digital Signature dialog in the VBA editor
In the VBA editor, click Tools > Digital Signature. The Digital Signature dialog appears. - Click Choose and select your certificate
Click the Choose button. In the Select Certificate dialog, pick your code signing certificate from the list. Click OK. The dialog now shows the certificate name under “The VBA project is currently signed as”. - Confirm the signature and close the dialog
Click OK to close the Digital Signature dialog. Save the template by pressing Ctrl+S.
Step 3: Deploy the Template to an AppLocker-Allowed Path
- Identify the allowed AppLocker path for macros
Check with your IT administrator for the exact path rule configured in AppLocker. Common allowed paths includeC:\Program Files\Microsoft Office\Templates\or a network share like\\company\share\templates\. If no path rule exists, you may need to request one. - Copy the signed .dotm file to the allowed path
Use File Explorer to copy your signed template file to the allowed folder. Overwrite any existing file if necessary. - Set the user template location in Word
Open Word. Click File > Options > Advanced. Scroll to the General section and click File Locations. Select User templates and click Modify. Browse to the allowed folder and click OK. Click OK again to close the Options dialog. - Test the template on a machine with AppLocker enabled
On a test computer that has AppLocker enforced, open Word and click File > New > Personal. Your template should appear. Select it to create a new document. The macro should run without a security warning. If a warning appears, verify the certificate is trusted on that machine and that the file path matches the AppLocker rule.
Common Issues When Creating AppLocker-Compliant Macro Templates
Word Shows “Macros Have Been Disabled” Even After Signing
This usually means the code signing certificate is not trusted by the computer. The certificate must be installed in the Trusted Root Certification Authorities store on each user’s machine. If your organization uses Group Policy, the IT administrator can deploy the certificate to all domain-joined computers. Alternatively, you can use a certificate from a CA that is already trusted by Windows, such as DigiCert or GlobalSign.
AppLocker Blocks the Template Entirely With an Error Message
If AppLocker blocks the file before Word even opens it, the path rule is likely missing or incorrect. Check the Event Viewer under Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL for blocked events. The log will show the file path and the rule type that blocked it. Work with your IT administrator to add a path rule that includes the folder where you saved the template.
The Template Works on One Computer but Not on Another
This is almost always a certificate trust issue. The certificate used to sign the VBA project is not installed in the Trusted Root store on the second computer. Deploy the certificate via Group Policy or ask users to manually install it. Also verify that the template file is in the same allowed path on both computers.
Word Macro Template Deployment Methods: Self-Signed vs CA-Signed vs No Signature
| Item | Self-Signed Certificate | CA-Signed Certificate | No Signature |
|---|---|---|---|
| Trust by default | Only on the signing computer | All computers that trust the CA | None |
| AppLocker publisher rule | Not recommended; certificate not in trusted root | Works if CA is trusted | Does not work |
| AppLocker path rule | Works if file is in allowed path | Works if file is in allowed path | Works only if file is in allowed path |
| User sees security warning | Yes, unless certificate is manually trusted | No, if CA is already trusted | Yes, always |
| Deployment effort | Low for single machine | Medium; certificate must be deployed | Low but not secure |
You can now create a signed .dotm template that AppLocker allows on managed devices. Next, set up a Group Policy Object to deploy the certificate and the template path to all users. For advanced control, use AppLocker’s hash rule instead of path rule if you need to allow only a specific version of the template file.