In a pivotal update for enterprise environments, Windows has rolled out new certificate authority (CA) handling logic for Application Control for Business, formerly known as Windows Defender Application Control (WDAC). As announced in Microsoft’s official support documentation, this adjustment is crucial for organizations relying on digital signing to validate the integrity and trustworthiness of Windows and Microsoft components. With the impending expiration of key Microsoft Issuing Certification Authorities—entities that have digitally signed Windows binaries and drivers for over a decade—administrators, security professionals, and IT managers must understand how Windows Application Control adapts, and what this means for the real-world security posture of business systems.
Certificate Authorities are central to the Windows application trust model. For years, six primary Microsoft Issuing CAs have been responsible for signing the leaf certificates used by Windows and core Microsoft components. However, these 15-year CAs are approaching their expiration dates, starting in July 2025. The expiring CAs and their signature TBS (To Be Signed) hash values are as follows:
These authorities will be succeeded by newer CAs, each with their own updated TBS hash. Importantly, this CA turnover could, without proper support, break digital signature checks, causing application failures, driver misreports, or—worse—false denials or trusts within secure environments.
This means that as the old CAs expire and the new ones begin to sign Windows and other Microsoft binaries, systems aligned with these Application Control policies will not experience abrupt trust breaks or require emergency policy overhauls. Importantly, this inferencing logic applies not just to allow rules but also to deny rules, ensuring policy continuity whether administrators intended to block or allow software signed by Microsoft.
With the updated logic, trust will automatically extend to:
This preserves additional signer elements such as CertEKU, CertPublisher, FileAttribRef, and CertOemId, contributing to robust and granular policy inferencing. The logic also ensures that deny rules remain effective—software previously blocked, if re-signed by a new CA, will continue to be denied per policy settings.
The new CA handling logic underscores Microsoft’s commitment to keeping WDAC both robust and low-maintenance. Inferencing means:
Yet, as with any system that automates trust relationships, the real benefit comes with ongoing vigilance. Organizations must keep platforms current, review policies frequently, and avoid complacency. When deployed with care and monitored astutely, the new CA handling logic significantly boosts both the resilience and manageability of Windows-powered business environments.
For organizations planning upgrades or managing large, diverse fleets, the message is clear: Patch now, review policies, and embrace the smoother, more secure future enabled by Microsoft’s Application Control CA inferencing—while always keeping one eye on the certificate chain.
Source: Microsoft - Message Center Windows support for the Application Control for Business new CA handling logic - Microsoft Support
Understanding the Certificate Authority Lifecycle and Its Impact
Certificate Authorities are central to the Windows application trust model. For years, six primary Microsoft Issuing CAs have been responsible for signing the leaf certificates used by Windows and core Microsoft components. However, these 15-year CAs are approaching their expiration dates, starting in July 2025. The expiring CAs and their signature TBS (To Be Signed) hash values are as follows:| Old CA Name | TBS Hash | Expiration Date |
|---|---|---|
| Microsoft Code Signing PCA 2010 | 121AF4B922A74247EA49DF50DE37609CC1451A1FE06B2CB7E1E079B492BD8195 | July 6, 2025 |
| Microsoft Windows PCA 2010 | 90C9669670E75989159E6EEF69625EB6AD17CBA6209ED56F5665D55450A05212 | July 6, 2025 |
| Microsoft Code Signing PCA 2011 | F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E | July 8, 2026 |
| Windows Production PCA 2011 | 4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146 | October 19, 2026 |
| Microsoft Windows Third Party Component CA 2012 | CEC1AFD0E310C55C1DCC601AB8E172917706AA32FB5EAF826813547FDF02DD46 | April 18, 2027 |
New Handling Logic: Automatic CA Trust Inferencing
Microsoft has proactively addressed this by enhancing Application Control for Business. The new CA handling logic ensures that, if an Application Control policy currently trusts the existing (old) Microsoft CAs using signer rules with the corresponding TBS hash, then trust for the new 2023 and 2024 CAs is automatically inferred.This means that as the old CAs expire and the new ones begin to sign Windows and other Microsoft binaries, systems aligned with these Application Control policies will not experience abrupt trust breaks or require emergency policy overhauls. Importantly, this inferencing logic applies not just to allow rules but also to deny rules, ensuring policy continuity whether administrators intended to block or allow software signed by Microsoft.
How It Works: Signer Rule Example
Consider an administrator who has a policy rule like this:
Code:
<Signer ID="ID_SIGNER_WINDOWS_CA_1" Name="Microsoft Windows Production PCA 2011">
<CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>
Code:
<Signer ID="ID_SIGNER_WINDOWS_CA_2" Name="Windows Production PCA 2023">
<CertRoot Type="TBS" Value="34EEC0CD7321C9C20309BEF31164D92B88E892341DE67FE2684D9E7FDA09C9E46B05498FB38E29B421E845FEB8C7A4CD" />
<CertEKU ID="ID_EKU_WINDOWS" />
</Signer>Supported Platforms and Deployment Timeline
Microsoft has integrated this updated TBS hash logic into all supported Windows platforms that feature Application Control. The update cadence aligns closely with the CAs' expiration timeline:- Windows Server 2025: KB5058411, OS Build 26100.4061 (May 13, 2025)
- Windows 11, version 24H2: KB5055627, OS Build 26100.3915 Preview (April 25, 2025)
- Windows 11, version 22H2/23H2: KB5055629, OS Builds 22621.5262/22631.5262 Preview (April 22, 2025)
- Windows Server 2022: KB5058385, OS Build 20348.3692 (May 13, 2025)
- Windows 10, versions 21H2/22H2: KB5058379, OS Builds 19044.5854/19045.5854 (May 13, 2025)
- Windows 10, version 1809/Windows Server 2019: KB5058392, OS Build 17763.7314 (May 13, 2025)
- Windows 10, version 1607/Windows Server 2016: KB5058383, OS Build 14393.8066 (May 13, 2025)
Strengths and Benefits of the New Approach
Seamless Policy Continuity
The most significant strength of this inferencing logic is its seamless handling of CA transitions with minimal administrative overhead. By automatically updating trust (and deny) relationships to account for new CAs, Microsoft shields administrators and users from the sharp edges of certificate expiration. This is particularly vital in large enterprises or critical infrastructures, where policy updates to tens of thousands of endpoints would otherwise entail significant coordination and risk.Granular and Robust Inferencing
The fact that inferencing applies to both allow and deny rules, and preserves associated policy elements like CertEKU and CertPublisher, means organizations retain granular control. Security postures set by policy architects remain effective, and misapplied trust relationships—often the result of simpler migration logic—are thoroughly avoided.Backward Compatibility and Wide Reach
Because Microsoft is servicing all supported platforms, even older systems such as Windows 10 version 1607 or Windows Server 2016 benefit from consistent trust logic. This backward compatibility is crucial for regulated industries or slow-mover environments where legacy systems are still prominent.Reduced Admin Overhead
For administrators, the most visible benefit is a dramatic reduction in emergency interventions needed over policy files. No need to manually enumerate and trust every new Microsoft CA as they are introduced; as long as the inferencing logic is enabled and systems are updated, the transition is virtually invisible.Risks, Caveats, and Considerations
Update Dependency and Patch Management
A key limitation—one that can’t be overstated—is that the new inferencing logic is only available after the specified KB updates are applied. Enterprises lagging on patch cadence or with unsupported systems will not benefit from the new protections. This could result in denied access to legitimate Windows components or unauthorized trust if CAs are not managed correctly.Introduction of Inferencing Edge Cases
Although Microsoft's logic is robust, there is always a potential risk that unforeseen signer rule edge cases could introduce policy surprises. For example, if a complex, nonstandard rule relies on certificate chaining peculiarities, it is incumbent upon administrators to thoroughly test policy enforcement post-update. Unintended side effects—though unlikely given Microsoft’s track record—could present a risk to highly customized environments.Opt-Out Mechanism
Recognizing these potential hazards, Microsoft allows organizations to opt out of the inferencing feature. By setting a specific policy flag, administrators can force Application Control to revert to a stricter, manual trust mode, at the expense of losing the seamless CA transition benefit.- How to Opt-Out: Set the "Disabled: Default Windows Certificate" flag in policy configuration.
Policy Drift and Security Posture
While automatic trust inference is generally beneficial, organizations with extremely high security demands should carefully review inferred signer relationships, as blanket trust for all new CAs may not align with their risk management frameworks. Periodic audits and cross-checks are advised, particularly in environments where third-party CA usage is prevalent.In-Depth Analysis: Security Assurance and Real-World Efficacy
Application Control, especially as implemented through Windows Defender Application Control, is a cornerstone of enterprise security postures. Its effectiveness in preventing unauthorized code execution is well-documented, but relies fundamentally on accurate, up-to-date trust determination for signed binaries.The new CA handling logic underscores Microsoft’s commitment to keeping WDAC both robust and low-maintenance. Inferencing means:
- Legitimate Windows updates, new drivers, and applications signed with post-2022 CAs continue to be trusted without policy flinching.
- Existing deny rules remain effective, countering both operational risks and the specter of malware masquerading as legitimate components via new CAs.
- Signer rule elements, such as CertPublisher and FileAttribRef, are propagated, ensuring granular, consistent policy application.
Recommendations and Best Practices
1. Patch Promptly
To benefit from automatic CA trust inference, ensure all relevant Windows endpoints are running the latest patches as per the Microsoft-provided KB IDs. Patch management systems should be updated to make these rollouts a top priority before the earliest CA expiration date (July 6, 2025).2. Review Existing Policies
Before and after applying the updates, review Application Control policies with attention to both allow and deny rules that reference Microsoft CA TBS hashes. Check for complex custom rules or reliance on legacy CA structures that may not behave as expected.3. Test, Test, Test
Use pilot groups to test all critical application workflows post-update. Watch for unexpected denials or silent allowance of problematic binaries. Where possible, employ auditing to monitor enforcement in production environments.4. Consider the Opt-Out Sparingly
Only opt out of inferencing if your organization has a compelling case—such as needing to gatekeep every new Microsoft CA introduction manually for regulatory or security reasons. In such cases, prepare an accelerated policy-update process and ensure security teams are ready to respond to CA churn.5. Plan for Ongoing Policy Hygiene
Though inferencing eases immediate policy pressure, continuing policy hygiene is essential. Regularly audit rules, monitor Microsoft’s security advisories, and prepare for future CA transitions. Robust governance prevents “set and forget” pitfalls that adversaries can exploit.Conclusion: A Security and Operations Win—with Continuing Oversight Required
The overhaul of certificate authority handling in Windows Application Control for Business marks a welcome evolution in Microsoft’s drive for secure, operationally efficient enterprise systems. By automatically inferring trust between expiring and successor CAs, Microsoft spares organizations from significant risk and administrative toil, especially as the certificate ecosystem naturally evolves.Yet, as with any system that automates trust relationships, the real benefit comes with ongoing vigilance. Organizations must keep platforms current, review policies frequently, and avoid complacency. When deployed with care and monitored astutely, the new CA handling logic significantly boosts both the resilience and manageability of Windows-powered business environments.
For organizations planning upgrades or managing large, diverse fleets, the message is clear: Patch now, review policies, and embrace the smoother, more secure future enabled by Microsoft’s Application Control CA inferencing—while always keeping one eye on the certificate chain.
Source: Microsoft - Message Center Windows support for the Application Control for Business new CA handling logic - Microsoft Support
