Changes in support on Microsoft Windows – Minimum patch level

UPDATED 29.2.2024: Clarified the release schedule of the new client that mandates ACS.

UPDATED 14.2.2024: Linked back to customer support article, as well as documenting new statuses within the Elements Security Center to reflect the missing ACS support.

UPDATED 16.1.2024: Added note that this change becomes MANDATORY with upcoming client changes during February 2024

UPDATED 24.5.2023: Added instructions for administrators with steps of what to do after patching the Operating System

UPDATED 22.5.2023: We have now released hotfixes for the Client Security, Server Security, and Email and Server Security that the Business Suite admin can deploy to devices that have been patched. The hotfixes will trigger reinstallation of the Security Core, and can be found under the relevant product at https://www.withsecure.com/en/support/download

UPDATED 16.5.2023 The WithSecure Elements Security Center will now advise Administrators about hosts that do not meet these requirements, with an explanation, and a link to this article so they can apply the required Microsoft patches.

UPDATED 10.5.2023 As of 9.5.2023, this change is Mandatory. If you see failures to install Ultralight updates, please ensure your system is patched following the details below. References to March 3rd in this article were valid at initial publishing, but the first actual release with the change happened on May 9th.

UPDATED 22.2.2023 Article rewritten with further clarification.

UPDATED 14.2.2023 to clarify some parts

In a world where cyber criminals seek to exploit even the smallest vulnerabilities to get access to your devices and data, it is really important to maintain your operating systems to the latest vendor patch level.

All Operating System vendors, including Microsoft, Apple, Google and all the Linux vendors, strongly recommend that their customers patch their devices regularly with the latest available patches, to help reduce the threat.

Using an unpatched operating system is risky, and WithSecure always recommends keeping patches up to date.

Occasionally, software vendors will change their requirements on minimum supported versions of operating systems, often in alignment with the OS vendor. Microsoft now requires a minimum patch level of October 2021 for certain types of files included in third-party software, and WithSecure is changing its requirements in alignment.

Background

The WithSecure Agents on Microsoft Windows use a Windows mechanism called Protected Process Light (PPL) to protect key services from tampering, even by admin-level users.

Microsoft has recently introduced new code signing requirements for PPL binaries that affect all security vendors. These binaries must now be signed using Azure Code Signing (ACS), whereas previously vendors could sign using their own digital certificate. This ACS requirement in turn requires that customer endpoints have the necessary dependencies in place to validate ACS signatures – see below for details

What will happen on March 3rd, 2023?

On March 3rd 2023, the legacy WithSecure certificate for signing PPL binaries will expire and Agent updates issued after this date will not load unless they are ACS-signed AND customer endpoints have the necessary dependencies in place. WithSecure binaries signed before this date will remain valid on all endpoints.

Failure to load the agent’s PPL binaries would mean that protection and monitoring coverage is lost. However, WithSecure will ensure that functionality for previously installed agents is preserved beyond March 3rd 2023 by preventing the installation of updates on endpoints which don’t meet the ACS validation dependencies.

In general, new installations of the WithSecure Agents will fail on endpoints missing the ACS dependencies after May 9th 2023. While installation is possible on unpatched devices, the security core will not install, and these devices will report a malfunction shortly after installation.

What does this mean in simple terms?

Existing installations (made before 9th May 2023) of the listed products on devices that do not have the necessary Microsoft patches will continue to function, but protection capabilities will decrease over time, as updates to our security core technology are not taken into use until the required Microsoft patches are installed.

NOTE: On 4 March 2024 we will roll out version 24.2 to the early access with the global release week later that will make the ACS (Azure Code Signing) dependencies MANDATORY. Endpoints missing the ACS dependencies will not be upgraded automatically to version 24.2 and will keep on using current version. Upgrade will happen automatically once ACS requirements are met.

https://community.withsecure.com/en/kb/articles/31236-upcoming-changes-to-withsecure-elements-client-installations

New installations (after May 9th 2023) of the listed products on devices that do not have the necessary Microsoft patches will fail to install our security core technology and will not be protected at all.

Which WithSecure Agents are affected?

All versions of the following products on Microsoft Windows are affected by this:

WithSecure Elements Agents
- Endpoint Protection
- Endpoint Detection and Response
WithSecure Countercept
F-Secure Client Security
F-Secure Server Security
F-Secure Email and Server Security

What are the ACS validation dependencies?

There are two dependencies:

Installation of security patches released by Microsoft in September and October 2021, as documented here.
Installation of the ‘Microsoft Identity Verification Root Certificate Authority 2020’ CA certificate.

No action is required for the following recent versions of Windows, since they support ACS by default:

Windows 11
Windows 10 22H2
Windows 10 21H2

How can customers identify Windows endpoints which are missing the ACS dependencies?

WithSecure expects that the vast majority of customer endpoints already meet the dependencies, although it is not possible to provide make a definitive assessment in advance of the March 3rd 2023 date.

Customers can check for patch installation using the Knowledge Base (KB) numbers documented by Microsoft. However, checking by individual KB number can be unreliable because patches may be absorbed into later KB’s, meaning that the dependencies can be met even if the specific KB documented by Microsoft has not been installed.

Most Windows endpoints will already meet the CA certificate dependency because new root certificates are downloaded through automatic update mechanisms. However, customers who have disabled the automatic update mechanism will need to ensure that the new Microsoft CA certificate is in place.

In addition, customers can check on the Endpoint itself:

The local User Interface will show "Will try again" in the Updates section
In C:\ProgramData\F-Secure\Log\Ultralight\install-ulcore-win64.log these lines (or similar) would be logged:

2023-04-19 16:37:46.343 [1d84.2250] *F: MainLogic::CheckIntegrityPolicy: Signature of 'C:\Program Files (x86)\F-Secure\PSB\Ultralight\ulcore\<number>\fshoster64.exe' is not compliant with Windows Code Integrity policy. Can not install 'ulcore' update

2023-04-19 16:37:46.343 [1d84.2250] *E: MainLogic::execute: Installation error: 14

In addition, since early February 2024, the Elements Security Center will show a device with status "Broken ACS", if it does not meet the requirements. At the same time it refers the security administrator to this article for the required steps.

I have patched my operating system, but the product still shows that it is outdated. What do I do next?

Once you've patched and rebooted the operating system, your protection might still say that it is outdated. This will resolve itself the next time we publish an update to the Security Core package.

If you need to force an update earlier to bring protection up to date, you can do one of the following:

For Client Security, Server Security, or Email and Server Security (all version 15.30), you can downloadhttps://download.f-secure.com/corpro/cs/cs15.30/fscs1530-hf11-signed.jarand distribute it using your Policy Manager
For WithSecure Elements, WithSecure Countercept, and other versions of the Business Suite products, you can downloadhttps://download.f-secure.com/support/tools/FSAUA-Reset/fsaua-reset.exe, open a command prompt with Administrator rights, and execute it from the command prompt. This will reset the security core download and apply it again.