Windows support for the Application Control for Business new CA handling logic

Introduction

The article outlines the new Application Control for Business (formerly known as Windows Defender Application Control (WDAC)) handling logic for signer rules where a TBS hash value for a Microsoft intermediate certificate authority (CA) is specified.

Microsoft Issuing CAs

Microsoft and Windows components are signed by leaf certificates mainly issued by six Microsoft Issuing CAs. Beginning in July 2025, these 15-year Issuing CAs begin to expire according to the following schedule.

CA Name	TBS hash	Expiration Date
Microsoft Code Signing PCA 2010	`121AF4B922A74247EA49DF50DE37609CC1451A1FE06B2CB7E1E079B492BD8195`	July 6, 2025
Microsoft Windows PCA 2010	`90C9669670E75989159E6EEF69625EB6AD17CBA6209ED56F5665D55450A05212`	July 6, 2025
Microsoft Code Signing PCA 2011	`F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E`	July 8, 2026
Windows Production PCA 2011	`4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146`	October 19, 2026
Microsoft Windows Third Party Component CA 2012	`CEC1AFD0E310C55C1DCC601AB8E172917706AA32FB5EAF826813547FDF02DD46`	April 18, 2027

CA name	TBS hash
Microsoft Code Signing PCA 2010 is replaced with
Microsoft Windows Code Signing PCA 2024	`C64CE3455898F871D11C14DA412AAC58FA2022D4213D8AC05F8DD6909B2FB0FCC76C19A1913DF5BC0CB1662229AD15D1`
Microsoft Windows PCA 2010 is replaced with
Microsoft Windows Component Preproduction CA 2024	`84A5BD1CCB7CD6509FF7214F4BA27D51CCF72BE2AC4AA7F0E97BC066FC804EBB635E8305D7D1108F89B4CF7BB2CAFED9`
Microsoft Code Signing PCA 2011 is replaced with
Microsoft Code Signing PCA 2024	`B52C1E712CF71D080614DDF95F8258BE0738C0722BD8A55F0AF4361BACEE35B6D73DCACB1B9DE10B5FD28508A3A50EAE`
Windows Production PCA 2011 is replaced with
Windows Production PCA 2023	`34EEC0CD7321C9C20309BEF31164D92B88E892341DE67FE2684D9E7FDA09C9E46B05498FB38E29B421E845FEB8C7A4CD`
Microsoft Windows Third Party Component CA 2012 is replaced with
Microsoft Windows Third Party Component CA 2024	`FFFA64ABBB400583B3F812A196A8AF7ABF329D4882F26221A142D734620B759D1E168537CC6DA74807C2E20C70DA7B78`

While it is recommended, Application Control policies which have Signer rules with TBS hash values listed in the table above do not need to be updated to trust the components signed by the new 2023 and 2024 CAs. Application Control will automatically infer trust of the new 2023 and 2024 CAs, and their TBS hash values, if your policy has rules trusting the current CAs.

For example, if your policy trusts the Windows Production PCA 2011 using the following rule, trust for the new Windows Production PCA 2023 will be automatically inferred. Signer elements like CertEKU, CertPublisher, FileAttribRef and CertOemId are preserved in the inferencing logic.

Signer Rule examples

Current Signer Rule

<Signer ID="ID_SIGNER_WINDOWS_CA_1" Name="Microsoft Windows Production PCA 2011"> 

  <CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" /> 

  <CertEKU ID="ID_EKU_WINDOWS" /> 

</Signer>

Inferred Signer Rule

<Signer ID="ID_SIGNER_WINDOWS_CA_2" Name=" Windows Production PCA 2023 "> 

  <CertRoot Type="TBS" Value=" 34EEC0CD7321C9C20309BEF31164D92B88E892341DE67FE2684D9E7FDA09C9E46B05498FB38E29B421E845FEB8C7A4CD " /> 

  <CertEKU ID="ID_EKU_WINDOWS" />     

</Signer>

The new handling logic also extends to deny signer rules in the policy. So, if you have denied components signed by the existing CAs, those components will continue to be denied once they are signed with the new 2023 and 2024 CAs.

Current Signer Rule

<Signer ID="ID_SIGNER_DENY_FOO_1" Name="Microsoft Code Signing PCA 2011”> 

  <CertRoot Type="TBS" Value=" F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" /> 

  <CertPublisher Value="Microsoft Corporation" /> 

  <FileAttribRef RuleID="ID_FILEATTRIB_DENY_FOO" /> 

</Signer>

Inferred Signer Rule

<Signer ID="ID_SIGNER_DENY_FOO_2" Name = “Microsoft Code Signing PCA 2024”> 

  <CertRoot Type="TBS" Value=" B52C1E712CF71D080614DDF95F8258BE0738C0722BD8A55F0AF4361BACEE35B6D73DCACB1B9DE10B5FD28508A3A50EAE" /> 

  <CertPublisher Value="Microsoft Corporation" /> 

  <FileAttribRef RuleID="ID_FILEATTRIB_DENY_FOO" /> 

</Signer>

Compatibility

Microsoft has serviced the TBS hash handling logic for the expiring CAs to all supported platforms where Application Control is supported according to the following table.

Windows OS	Beginning this release and later releases
Windows Server 2025	May 13, 2025—KB5058411 (OS Build 26100.4061)
Windows 11, version 24H2	April 25, 2025—KB5055627(OS Build 26100.3915) Preview
Windows Server, version 23H2	May 13, 2025—KB5058384 (OS Build 25398.1611)
Windows 11, version 22H2 and 23H2	April 22, 2025—KB5055629 (OS 22621.5262 and 22631.5262) Preview
Windows Server 2022	May 13, 2025—KB5058385 (OS Build 20348.3692)
Windows 10, versions 21H2 and 22H2	May 13, 2025—KB5058379 (OS Builds 19044.5854 and 19045.5854)
Windows 10, version 1809 and Windows Server 2019	May 13, 2025—KB5058392 (OS Build 17763.7314)
Windows 10, version 1607 and Windows Server 2016	May 13, 2025—KB5058383 (OS Build 14393.8066)

How to opt out

If you want to opt your systems out of the TBS hash inferencing logic performed by Application Control, set the following flag in policies: Disabled:Default Windows Certificate Remapping

Change date	Change description
July 2, 2025	Corrected the flag name in policies to "Disabled:Default Windows Certificate Remapping" in the "How to opt out" section.

Windows support for the Application Control for Business new CA handling logic

Introduction

Microsoft Issuing CAs

Signer Rule examples

Compatibility

How to opt out

Need more help?

Want more options?

Was this information helpful?

Thank you for your feedback!

Change log

Introduction

Microsoft Issuing CAs

Signer Rule examples

Compatibility

How to opt out

Need more help?

Want more options?

Was this information helpful?

Thank you for your feedback!