MC1096052 – Windows add support for the new certificate authority handling logic in Application Control for Business

Product:

Windows, Windows Server

Platform:

Online, Windows Desktop, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Microsoft is updating the logic used by Application Control for Business to handle signer rules that rely on TBS (To Be Signed) hash values for Microsoft intermediate certificate authorities (CAs). This is in response to the upcoming expiration of several 15-year CAs starting in July 2025. The new logic allows Application Control to automatically infer trust for the new 2023 and 2024 CAs if your existing policy already trusts the older CAs. Signer elements like CertEKU, CertPublisher, FileAttribRef and CertOemId are preserved in the inferencing logic.


When this will happen:
Beginning in July 2025, these CAs will begin to expire according to the following schedule:
July 6, 2025 - Microsoft Code Signing PCA 2010
July 6, 2025 - Microsoft Windows PCA 2010
July 8, 2026 - Microsoft Code Signing PCA 2011
October 19, 2026 - Windows Production PCA 2011
April 18, 2027 - Microsoft Windows Third Party Component CA 2012

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-06-17

updated:
2025-07-03

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

Microsoft is updating its Application Control for Business to automatically trust new digital certificates if the old ones are trusted, with the update being applied through regular Windows updates, and users can opt out if they prefer manual verification.

Direct effects for Operations**

Certificate Authority Expiration
If the new CA handling logic is not prepared for, applications relying on the expiring CAs may fail to validate, leading to application crashes or failures.
   - roles: System Administrator, Application Developer
   - references: https://learn.microsoft.com/windows/security/application-security/application-control/app-control-for-business/appcontrol, https://support.microsoft.com/topic/windows-support-for-the-application-control-for-business-new-ca-handling-logic-0be5df55-f4d7-458a-808f-7949d6a80850

User Experience Degradation
Users may experience disruptions in accessing applications that depend on the expiring CAs, leading to decreased productivity and frustration.
   - roles: End User, Help Desk Support
   - references: https://learn.microsoft.com/windows/security/application-security/application-control/app-control-for-business/feature-availability, https://support.microsoft.com/topic/0a30e9ee-5038-45dd-a5d7-70a8813a5e39

Policy Management Issues
Without proper preparation, existing policies may not automatically extend trust to new CAs, causing potential security risks and compliance issues.
   - roles: IT Security Manager, Compliance Officer
   - references: https://support.microsoft.com/topic/3c3f9c71-6082-4d4a-a6f2-1cd11b0a03e1, https://support.microsoft.com/topic/40cbe5df-063a-4b89-94eb-c79c8975506d

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security Posture
The new CA handling logic will automatically infer trust for newer CAs, reducing the risk of disruptions caused by expired certificates. This enhances the overall security posture by ensuring that applications continue to run smoothly without manual intervention for certificate updates.
   - next-steps: Communicate the changes to the security and compliance teams. Review and update security policies to align with the new CA handling logic and ensure all applications are compliant with the new standards.
   - roles: Security Administrators, Compliance Officers, IT Managers
   - references: https://learn.microsoft.com/windows/security/application-security/application-control/app-control-for-business/appcontrol, https://support.microsoft.com/topic/windows-support-for-the-application-control-for-business-new-ca-handling-logic-0be5df55-f4d7-458a-808f-7949d6a80850

Reduced Administrative Overhead
With the new logic, there is no need for policy updates if existing rules reference the expiring CAs. This reduces the administrative burden on IT staff who would otherwise need to manually update policies, allowing them to focus on other critical tasks.
   - next-steps: Assess the current policy landscape to identify areas where updates would have been required. Train IT staff on the new logic to ensure they understand the implications and can manage the system effectively.
   - roles: IT Administrators, System Administrators, Operations Managers
   - references: https://learn.microsoft.com/windows/security/application-security/application-control/app-control-for-business/feature-availability, https://support.microsoft.com/topic/3c3f9c71-6082-4d4a-a6f2-1cd11b0a03e1

Streamlined User Experience
By automatically inferring trust for new CAs, users will experience fewer interruptions due to certificate issues. This improves user satisfaction and productivity as applications will continue to function without requiring user intervention for certificate updates.
   - next-steps: Gather user feedback on application performance and any certificate-related issues. Monitor application usage and resolve any issues that arise during the transition to the new CA handling logic.
   - roles: End Users, Help Desk Support, IT Managers
   - references: https://learn.microsoft.com/windows/security/application-security/application-control/app-control-for-business/appcontrol, https://support.microsoft.com/topic/40cbe5df-063a-4b89-94eb-c79c8975506d

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only