Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-07-02 19:36:42
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
—
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs
One-line summary
Application Control for Business updates CA trust logic to handle expiring Microsoft CAs, requiring Windows updates by May 13, 2025 for seamless trust extension.
Similar updates
More like thisMC1111657 Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today
Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today Windows updates will enforce stricter certificate-based authentication from July 8, 2025, requiring CAs in the NTAuth store; full enforcement and policy bypass removal starts October 14, 2025. Starting with the April 8, 2025, Windows security.
MC1185931 Secure Boot playbook for certificates expiring in 2026
Secure Boot playbook for certificates expiring in 2026 Secure Boot certificates on many Windows devices will expire in June 2026; admins should monitor, prepare, and update certificates to ensure continued protection. ... Microsoft will deliver the new 2023 Secure Boot certificates through Windows monthly updates—with original equipment.
MC1092195 Prepare for Kerberos CBA changes: Enforcement begins with July updates
Prepare for Kerberos CBA changes: Enforcement begins with July updates Windows updates will enforce stricter certificate-based authentication for domain controllers, requiring CAs in the NTAuth store starting July 8, 2025, with full enforcement October 14, 2025. Starting with the April 8, 2025 Windows security updates, protections for .
MC1050816 KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)
KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) Windows updates from April 8, 2025 add protections for a Kerberos vulnerability; enforcement starts July 8, 2025, with full enforcement and registry key removal on October 14, 2025. The Windows security updates released on or after April 8, 2025, contain protections for a.
MC1173103 Secure Boot certificate deployment guide and tools
Secure Boot certificate deployment guide and tools Update expiring Secure Boot certificates to 2023 CAs using new guides and tools; 2011 CAs start expiring June 2026, with 2023 CAs rolling out via Windows updates from October 2025. Use the newly published guide and tools to start updating your organization’s expiring Secure Boot certificates. As.
MC1139443 Secure Boot certificate expiration: What Windows IT admins need to know now
Secure Boot certificate expiration: What Windows IT admins need to know now Microsoft is updating Secure Boot certificates before current ones expire in 2026; IT admins must ensure systems accept new certificates to maintain security and updates. Secure Boot protects Windows systems by validating firmware and boot components using trusted ce....
Details
Body (from Message Center)
Microsoft is updating the logic used by Application Control for Business to handle signer rules that rely on TBS (To Be Signed) hash values for Microsoft intermediate certificate authorities (CAs). This is in response to the upcoming expiration of several 15-year CAs starting in July 2025. The new logic allows Application Control to automatically infer trust for the new 2023 and 2024 CAs if your existing policy already trusts the older CAs. Signer elements like CertEKU, CertPublisher, FileAttribRef and CertOemId are preserved in the inferencing logic.
When this will happen:
Beginning in July 2025, these CAs will begin to expire according to the following schedule:
- July 6, 2025 - Microsoft Code Signing PCA 2010
- July 6, 2025 - Microsoft Windows PCA 2010
- July 8, 2026 - Microsoft Code Signing PCA 2011
- October 19, 2026 - Windows Production PCA 2011
- April 18, 2027 - Microsoft Windows Third Party Component CA 2012
How this will affect your organization:
Microsoft has serviced the TBS hash handling logic for the expiring CAs to all supported versions of Windows where Application Control is supported beginning with the following releases:
- Windows Server 2025: May 13, 2025—KB5058411
- Windows 11, version 24H2: April 25, 2025—KB5055627
- Windows Server, version 23H2: May 13, 2025—KB5058384
- Windows 11, version 22H2 and 23H2: April 22, 2025—KB5055629
- Windows Server 2022: May 13, 2025—KB5058385
- Windows 10, versions 21H2 and 22H2: May 13, 2025—KB5058379
- Windows 10 Enterprise LTSC 2019 and Windows Server 2019: May 13, 2025—KB5058392
- Windows 10 Enterprise LTSB 2016 and Windows Server 2016: May 13, 2025—KB5058383
What you need to do to prepare:
Ensure your systems are updated with the updates listed above or subsequent ones. No policy updates are required if your existing rules reference the expiring CAs. Windows will seamlessly extend trust to the new 2023 and 2024 CAs via Windows updates.
If you want to opt out of the TBS hash inferencing logic performed by Application Control, set the following flag in policies: Disabled:Default Windows Certificate Remapping.
Additional information:
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": null,
"ai_actions": [
"Update Windows with specified KBs or later",
"Review Application Control policies if opting out"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Application Control for Business updates CA trust logic to handle expiring Microsoft CAs, requiring Windows updates by May 13, 2025 for seamless trust extension.",
"ai_topics": [
"Windows"
],
"category": "stayInformed",
"details_map": {},
"id": "MC1096052",
"importance": 0,
"is_major_change": false,
"last_modified": "2025-07-02T19:36:42Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "Windows add support for the new certificate authority handling logic in Application Control for Business"
}
}