Microsoft's Enhanced CA Handling in Application Control for Business: Simplifying Trust Transitions

The landscape of enterprise security is continually shaped by the challenge of maintaining trust in a rapidly evolving certificate ecosystem. As Windows environments become even more integral to critical business operations, Microsoft’s Application Control for Business—previously known as Windows Defender Application Control (WDAC)—remains at the forefront of safeguarding endpoints against malicious or unauthorized code. Recent changes to the handling of certificate authorities (CAs) in Application Control signify not only a technical evolution but also a strategic response to the realities of CA certificate lifecycles.

The Shifting Foundations of Certificate Trust​

Root and intermediate CAs serve as the backbone for code-signing trust, ensuring that applications running on enterprise systems originate from legitimate, recognized publishers. However, all certificates and CAs have finite lifespans. For over a decade, many Windows system components and applications have depended on signatures issued by a small group of long-standing Microsoft Issuing CAs. As these CAs approach their scheduled expiration—beginning as soon as July 2025—Microsoft must transition to new, modern CA certificates without disrupting core enterprise security postures.
Historically, such transitions would have posed a significant risk and operational burden: Application Control (now Application Control for Business) policies often use "Signer" rules anchored on the hash values from these Microsoft intermediate CAs. If organizations fail to update their allowlists and denylists to recognize the new CA certificates, Windows systems could reject legitimate updates, block critical services, or leave security gaps.
This reality necessitated a new solution—one that would bridge the trust relationship between expiring and replacement CAs, while minimizing administrative overhead and risk of misconfiguration. Microsoft’s new CA handling logic in Application Control for Business responds precisely to this requirement.

Understanding the New CA Handling Logic​

Microsoft’s revised approach revolves around inference: if an Application Control policy currently allows or denies code signed by one of the legacy Microsoft CAs, trust is automatically inferred for the corresponding new CA certificate—removing the need for manual intervention in most cases. This logic applies regardless of whether the rule is configured to allow or explicitly deny certain software.
The change specifically impacts policies using "Signer" rules that reference CA thumbprints (TBS hash values). These policies, common in tightly controlled enterprises and government environments, specify exactly which issuing CAs are trusted for code execution.

Mapping the Old to the New: Certificate Details​

The transition involves mapping five key legacy Microsoft CAs to their modern replacements, complete with new thumbprints (TBS hashes). The table below compares the expiring and new CAs:

Legacy CA Name	Legacy TBS Hash	Expiry	Replacement CA Name	New TBS Hash
Microsoft Code Signing PCA 2010	121AF4B922A74247EA49DF50DE37609CC1451A1FE06B2CB7E1E079B492BD8195	July 6, 2025	Microsoft Windows Code Signing PCA 2024	C64CE3455898F871D11C14DA412AAC58FA2022D4213D8AC05F8DD6909B2FB0FC
Microsoft Windows PCA 2010	90C9669670E75989159E6EEF69625EB6AD17CBA6209ED56F5665D55450A05212	July 6, 2025	Microsoft Windows Component Preproduction CA 2024	84A5BD1CCB7CD6509FF7214F4BA27D51CCF72BE2AC4AA7F0E97BC066FC804EB
Microsoft Code Signing PCA 2011	F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E	July 8, 2026	Microsoft Code Signing PCA 2024	B52C1E712CF71D080614DDF95F8258BE0738C0722BD8A55F0AF4361BACEE35B6
Windows Production PCA 2011	4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146	Oct 19, 2026	Windows Production PCA 2023	34EEC0CD7321C9C20309BEF31164D92B88E892341DE67FE2684D9E7FDA09C9E4
Microsoft Windows Third Party Component CA 2012	CEC1AFD0E310C55C1DCC601AB8E172917706AA32FB5EAF826813547FDF02DD46	April 18, 2027	Microsoft Windows Third Party Component CA 2024	FFFA64ABBB400583B3F812A196A8AF7ABF329D4882F26221A142D734620B759D

Crucially, Application Control for Business automatically updates the policy’s effective trust chain when one of these legacy CA thumbprints is encountered, applying "inference" for the new CA. This means IT administrators do not need to reconstruct rules or approve new CA hashes simply because of a planned Microsoft CA lifecycle event.

Example: Policy Inference Mechanism​

To illustrate, suppose an organization’s existing WDAC policy contains the following rule to allow applications signed by the Windows Production PCA 2011:

<Signer ID="ID_SIGNER_WINDOWS_CA_1" Name="Microsoft Windows Production PCA 2011">
    <CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
    <CertEKU ID="ID_EKU_WINDOWS" />
</Signer>

With the new handling logic, the policy's intent is preserved. When Microsoft transitions to the Windows Production PCA 2023, Application Control automatically infers the equivalent trust for the new CA:

<Signer ID="ID_SIGNER_WINDOWS_CA_2" Name="Windows Production PCA 2023">
    <CertRoot Type="TBS" Value="34EEC0CD7321C9C20309BEF31164D92B88E892341DE67FE2684D9E7FDA09C9E4" />
    <CertEKU ID="ID_EKU_WINDOWS" />
</Signer>

The logic retains linked constraints such as Extended Key Usage (EKU), publisher IDs, and file attribute references. The same applies if blocking is configured—the inference ensures that if a given legacy CA is denied, its corresponding replacement is also denied.

Critical Analysis: Strengths and Cautions​

This new inferencing model offers several notable advantages:

• Reduced Operational Overhead: By automatically mapping trust relationships, IT staff avoid time-consuming and error-prone manual policy updates.
• Business Continuity: Ensures that applications and Windows updates signed by new Microsoft CAs are recognized as trusted without administrative delay, decreasing the risk of business disruption.
• Security Parity: The model maintains denial rules; if a CA was previously associated with a block policy, that intent persists for its successor CA. This prevents accidental trust escalation.
• Granular Policy Integrity: Application Control for Business preserves granular attributes in rules, such as EKU, publisher, and custom file attribute references, delivering precise trust relationships even as the CA infrastructure shifts.
• Consistent Cross-Platform Support: The logic has been backported to all actively supported Windows platforms that implement Application Control, including some reaching end-of-life, maximizing organizational coverage during the CA changeover.

However, users should be aware of potential challenges and risks:

• Assumptions about Future CA Changes: The inferencing logic is currently scoped to the latest set of Microsoft CA transitions as published. Future unforeseen CA retirements, emergency key rollovers, or the addition of further CA intermediates might not be accounted for, potentially requiring new policy updates or keeping abreast of future documentation.
• Variant Policy Customizations: Environments leveraging customized allow/deny logic, especially those integrating third-party signing or more complex identity constructs, may observe nuances not covered in automatic inferencing. Rigorous testing remains essential for high-security deployments.
• Dependency on Updates: This logic is available only on supported OS versions as outlined in Microsoft’s documentation. Systems not updated to the relevant build or KB patch will not benefit from the new handling, risking policy obsolescence or application blockage.
• Potential for Overly Broad Trust: There is an inherent risk that inference might accidentally create a slightly broader trust surface than intended, especially for organizations interpreting CA allow rules as applying to only very specific code signatures. For the majority of Microsoft’s enterprise customers, this is mitigated by the specificity of legacy-to-new CA mappings, but organizations with particularly strict controls should review inferred rules carefully.
• Visibility and Auditing Concerns: Since inference is performed by the Application Control engine, explicit policy artifacts may not evidently document the full set of trusted or denied CAs. This could impact audit trails; organizations may need to adapt their compliance and review practices accordingly.

Deployment Implications and Compatibility​

Microsoft has rolled out the TBS hash handling logic uniformly across essentially every platform that supports Application Control for Business, delivering these changes via cumulative updates released in April and May 2025. These include, but are not limited to:

• Windows Server 2025 (KB5058411, OS Build 26100.4061)
• Windows 11, version 24H2 (KB5055627, OS Build 26100.3915 Preview)
• Windows Server, version 23H2 (KB5058384, OS Build 25398.1611)
• Windows 11, versions 22H2 and 23H2 (KB5055629, OS builds 22621.5262/22631.5262 Preview)
• Windows Server 2022 (KB5058385, OS Build 20348.3692)
• Windows 10, versions 21H2 and 22H2 (KB5058379, OS build 19044.5854/19045.5854)
• Windows 10, version 1809 and Windows Server 2019 (KB5058392, OS Build 17763.7314)
• Windows 10, version 1607 and Windows Server 2016 (KB5058383, OS Build 14393.8066)

This means virtually all enterprises that maintain timely patching can benefit from a frictionless CA transition. Conversely, organizations with lagging patch practices, unsupported platforms, or customized WDAC implementations may face hurdles and should prioritize remediation or opt-out plans.

Opting Out of Inference: Control Remains​

For highly sensitive environments or use cases where explicit rule-by-rule control is mandated, Microsoft offers a way to disable TBS hash inferencing in Application Control. This is achieved via a configurable policy flag, documented within Microsoft’s technical article. Disabling inference reverts the engine to require explicit listing and approval of the new CA TBS hashes, giving organizations maximum control but also reintroducing the manual policy maintenance overhead and risk profile.

Best Practices and Recommendations​

Enterprises evaluating the impact of these changes should take the following steps:

• Verify Current Policy Coverage: Review existing Application Control policies for references to the soon-to-expire Microsoft CAs. Confirm that the relevant hashes match those mapped in Microsoft’s documentation.
• Patch Promptly: Ensure that all endpoints running Application Control for Business are fully up to date with the OS and Windows Update builds that include the new CA handling logic.
• Test in Staging: Before widespread rollout, deploy the updates and test the inferencing logic in a controlled environment, verifying that no legitimate applications are inadvertently blocked and that deny rules remain effective against unwanted code.
• Document and Communicate: Update internal policy documentation and communicate to stakeholders—especially compliance and audit teams—that CA transitions will now be handled automatically under the new scheme.
• Monitor Official Channels: Track ongoing Microsoft documentation and communications for any additional CA transitions, emergency revocations, or logic updates that may require further action.
• Prepare an Opt-Out Strategy: For organizations with heightened security requirements, be aware of and test the "opt out" flag functionality. Only disable inferencing if absolutely necessary and with complete insight into the operational implications.

The Bigger Security Picture​

This change highlights a broader shift in enterprise security: the move toward smarter, context-aware automation within foundational trust decisions. Certificate authority transitions are inevitable, and responding with agility—without compromising on security—is more important than ever. Microsoft’s inferencing-based approach aligns closely with best practices espoused in recent security research: minimize administrative touch points, eliminate sources of configuration drift, and maintain explicit control when absolutely required.
Yet, absolute automation is not a panacea. Vigilant monitoring, regular audit, and clear documentation remain mandatory. Enterprises adopting Application Control for Business in regulated, critical, or multi-platform environments should combine the operational benefits of inferencing with robust process governance.

Summary: Modernizing Code Signing Trust in Windows​

In summary, Windows’ new certificate authority handling logic in Application Control for Business offers a compelling, future-ready mechanism for bridging expiring and replacement Microsoft CAs. It delivers streamlined operations, enhanced application continuity, and minimal administrator intervention during a potentially disruptive infrastructure transition. The inferencing model ensures both allow and deny policies retain their intended effect, even as Microsoft cycles its issuing certificates.
However, organizations must remain attentive—validating their environments for compatibility, testing thoroughly, and standing ready with opt-out measures if full manual control is still necessary for compliance or security assurance. This change demonstrates Microsoft’s commitment to proactively supporting enterprise customers through foundational trust shifts while mitigating operational and security risks.
For organizations that depend on Application Control for Business, these changes promise to deliver smoother Windows updates, fewer trust interruptions, and a steadier footing for secure code execution in the years ahead. As always, the full value is realized only when paired with prompt patching, proactive oversight, and an informed understanding of the underlying trust framework that supports every Windows security decision.

---

Source: Microsoft - Message Center Windows support for the Application Control for Business new CA handling logic - Microsoft Support