Changes in support on Microsoft Windows – Minimum patch level. - WithSecure Community
<main>
<article class="userContent">
<p><strong>UPDATED</strong> 22.2.2023 Article rewritten with further clarification.</p><p><strong>UPDATED </strong>14.2.2023 to clarify some parts</p><p>In a world where cyber criminals seek to exploit even the smallest vulnerabilities to get access to your devices and data, it is really important to maintain your operating systems to the latest vendor patch level.</p><p>All Operating System vendors, including Microsoft, Apple, Google and all the Linux vendors, strongly recommend that their customers patch their devices regularly with the latest available patches, to help reduce the threat.</p><p>Using an unpatched operating system is risky, and WithSecure always recommends keeping patches up to date.</p><p>Occasionally, software vendors will change their requirements on minimum supported versions of operating systems, often in alignment with the OS vendor. Microsoft now requires a minimum patch level of October 2021 for certain types of files included in third-party software, and WithSecure is changing its requirements in alignment.</p><p><strong>Background</strong></p><p>The WithSecure Agents on Microsoft Windows use a Windows mechanism called Protected Process Light (PPL) to protect key services from tampering, even by admin-level users.</p><p>Microsoft has recently introduced new code signing requirements for PPL binaries that affect all security vendors. These binaries must now be signed using Azure Code Signing (ACS), whereas previously vendors could sign using their own digital certificate. This ACS requirement in turn requires that customer endpoints have the necessary dependencies in place to validate ACS signatures – see below for details</p><p><strong>What will happen on March 3rd, 2023?</strong></p><p>On March 3rd, the legacy WithSecure certificate for signing PPL binaries will expire and Agent updates issued after this date will not load unless they are ACS-signed AND customer endpoints have the necessary dependencies in place. WithSecure binaries signed before this date will remain valid on all endpoints.</p><p>Failure to load the agent’s PPL binaries would mean that protection and monitoring coverage is lost. However, WithSecure <strong>will ensure</strong> that functionality for <strong>previously installed agents</strong> is preserved beyond March 3rd by preventing the installation of updates on endpoints which don’t meet the ACS validation dependencies.</p><p>In general, new installations of the WithSecure Agents will fail on endpoints missing the ACS dependencies after March the 3rd.</p><p><strong>Which WithSecure Agents are affected?</strong></p><p>All versions of the following products on Microsoft Windows are affected by this:</p><ul><li>WithSecure Elements Agents<ul><li>Endpoint Protection</li><li>Endpoint Detection and Response</li></ul></li><li>WithSecure Countercept</li><li>F-Secure Client Security</li><li>F-Secure Server Security</li><li>F-Secure Email and Server Security</li></ul><p><strong>What are the ACS validation dependencies?</strong></p><p>There are two dependencies:</p><ul><li>Installation of security patches released by Microsoft in September and October 2021, <a href="https://support.microsoft.com/en-gb/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4" rel="nofollow noreferrer ugc"><strong><em>as documented here</em></strong></a>.</li><li>Installation of the ‘Microsoft Identity Verification Root Certificate Authority 2020’ CA certificate.</li></ul><p>No action is required for the following recent versions of Windows, since they support ACS by default:</p><ul><li>Windows 11</li><li>Windows 10 22H2</li><li>Windows 10 21H2</li></ul><p> <strong>How can customers identify Windows endpoints which are missing the ACS dependencies?</strong></p><p>WithSecure expects that the vast majority of customer endpoints already meet the dependencies, although it is not possible to provide make a definitive assessment in advance of the March 3rd date.</p><p>Customers can check for patch installation using the Knowledge Base (KB) numbers documented by Microsoft. However, checking by individual KB number can be unreliable because patches may be absorbed into later KB’s, meaning that the dependencies can be met even if the specific KB documented by Microsoft has not been installed. </p><p>Most Windows endpoints will already meet the CA certificate dependency because new root certificates are downloaded through automatic update mechanisms. However, customers who have disabled the automatic update mechanism will need to ensure that the new Microsoft CA certificate is in place.</p>
</article>
</main>