Windows add support for the new certificate authority handling logic in Application Control for Business

Microsoft is updating the logic used by Application Control for Business to handle signer rules that rely on TBS (To Be Signed) hash values for Microsoft intermediate certificate authorities (CAs). This is in response to the upcoming expiration of several 15-year CAs starting in July 2025. The new logic allows Application Control to automatically infer trust for the new 2023 and 2024 CAs if your existing policy already trusts the older CAs. Signer elements like CertEKU, CertPublisher, FileAttribRef and CertOemId are preserved in the inferencing logic.  When this will happen:  Beginning in July 2025, these CAs will begin to expire according to the following schedule: July 6, 2025 – Microsoft Code Signing PCA 2010 July 6, 2025 – Microsoft Windows PCA 2010 July 8, 2026 – Microsoft Code Signing PCA 2011 October 19, 2026 – Windows Production PCA 2011 April 18, 2027 – Microsoft Windows Third Party Component CA 2012 How this will affect your organization:  Microsoft has serviced the TBS hash handling logic for the expiring CAs to all supported versions of Windows where Application Control is supported beginning with the following releases: Windows Server 2025: May 13, 2025—KB5058411 Windows 11, version 24H2: April 25, 2025—KB5055627 Windows Server, version 23H2: May 13, 2025—KB5058384 Windows 11, version 22H2 and 23H2: April 22, 2025—KB5055629 Windows Server 2022: May 13, 2025—KB5058385 Windows 10, versions 21H2 and 22H2: May 13, 2025—KB5058379 Windows 10 Enterprise LTSC 2019 and Windows Server 2019: May 13, 2025—KB5058392 Windows 10 Enterprise LTSB 2016 and Windows Server 2016: May 13, 2025—KB5058383 What you need to do to prepare:  Ensure your systems are updated with the updates listed above or subsequent ones. No policy updates are required if your existing rules reference the expiring CAs. Windows will seamlessly extend trust to the new 2023 and 2024 CAs via Windows updates. If you want to opt out of the TBS hash inferencing logic performed by Application Control, set the following flag in policies: Disabled: Default Windows Certificate ​​​​​​​ Additional information:  Windows support for the Application Control for Business new CA handling logic App Control for Business and AppLocker feature availability Application Control for Windows Message ID: MC1096052

The post Windows add support for the new certificate authority handling logic in Application Control for Business appeared first on M365 Admin.