We are planning the Group Policies to set for the deployment of Office 365 ProPlus. Since we would like to increase security, I want to set the Option to only allow Addins signed by trusted publishers. My problem is, that I cannot get it to work properly.

I have a Document Level Customization (namely an Excel-Template created with Visual Studio and some functionality) that is deployed by ClickOnce. The solution is both signed in the ClickOnce Manifest and has a strong name with another certificate.

I put the corresponding certificates in the trusted root certification authorities and everything is fine as long as I use a standard Installation of Office 365 with no settings:

When I open the deployed file Office tells me about the risk and I can install - I do not get a warning about the certificate not being trusted (I got this warning as expected until I put the certificates in the store)

If I activate the Group Policy for Excel 2013 to only allow Addins signed by trusted publishers, Excel tells me, that it cannot install the solution because it was signed with a certificate that is not trusted.

What am I missing?