MC1096052: Windows add support for the new certificate authority handling logic in Application Control for Business
Microsoft is updating the logic used by Application Control for Business to handle signer rules that rely on TBS (To Be Signed) hash values for Microsoft intermediate certificate authorities (CAs). This is in response to the upcoming expiration of several 15-year CAs starting in July 2025. The new logic allows Application Control to automatically infer trust for the new 2023 and 2024 CAs if your existing policy already trusts the older CAs. Signer elements like CertEKU, CertPublisher, FileAttribRef and CertOemId are preserved in the inferencing logic. When this will happen: Beginning in July 2025, these CAs will begin to expire according to the following schedule:
- July 6, 2025 - Microsoft Code Signing PCA 2010
- July 6, 2025 - Microsoft Windows PCA 2010
- July 8, 2026 - Microsoft Code Signing PCA 2011
- October 19, 2026 - Windows Production PCA 2011
- April 18, 2027 - Microsoft Windows Third Party Component CA 2012
How this will affect your organization: Microsoft has serviced the TBS hash handling logic for the expiring CAs to all supported versions of Windows where Application Control is supported beginning with the following releases:
- Windows Server 2025: May 13, 2025—KB5058411
- Windows 11, version 24H2: April 25, 2025—KB5055627
- Windows Server, version 23H2: May 13, 2025—KB5058384
- Windows 11, version 22H2 and 23H2: April 22, 2025—KB5055629
- Windows Server 2022: May 13, 2025—KB5058385
- Windows 10, versions 21H2 and 22H2: May 13, 2025—KB5058379
- Windows 10 Enterprise LTSC 2019 and Windows Server 2019: May 13, 2025—KB5058392
- Windows 10 Enterprise LTSB 2016 and Windows Server 2016: May 13, 2025—KB5058383
What you need to do to prepare: Ensure your systems are updated with the updates listed above or subsequent ones. No policy updates are required if your existing rules reference the expiring CAs. Windows will seamlessly extend trust to the new 2023 and 2024 CAs via Windows updates.If you want to opt out of the TBS hash inferencing logic performed by Application Control, set the following flag in policies: Disabled:Default Windows Certificate Remapping. Additional information: