MC1096052 Windows add support for the new certificate authority handling logic in Application Control for Business
Microsoft is updating the logic used by Application Control for Business to handle signer rules that rely on TBS (To Be Signed) hash values for Microsoft intermediate certificate authorities (CAs). This is in response to the upcoming expiration of several 15-year CAs starting in July 2025. The new logic allows Application Control to automatically infer trust for the new 2023 and 2024 CAs if your existing policy already trusts the older CAs. Signer elements like CertEKU, CertPublisher, FileAttribRef and CertOemId are preserved in the inferencing logic. When this will happen: Beginning in July 2025, these CAs will begin to expire according to the following schedule:July 6, 2025 - Microsoft Code Signing PCA 2010July 6, 2025 - Microsoft Windows PCA 2010July 8, 2026 - Microsoft Code Signing PCA 2011October 19, 2026 - Windows Production PCA 2011April 18, 2027 - Microsoft Windows Third Party Co