Microsoft is making changes to its Authenticode Code Signing (ACS) process, and this may affect users of Trend Micro products on certain Microsoft Windows operating systems. This article outlines the potential impact and necessary actions to ensure continued compatibility and protection.
Affected Products and Versions
The following Trend Micro products and versions are potentially affected by the Microsoft ACS changes:
| PRODUCT | AFFECTED VERSIONS | PLATFORM |
|---|---|---|
| Trend Micro Apex One | 2019 (All On-prem) | Microsoft Windows |
| Trend Micro Apex One as a Service | All (SaaS) | Microsoft Windows |
| Trend Micro Cloud One – Workload & Endpoint Security (Agent) | All | Microsoft Windows |
| Trend Micro Deep Security (Server / Agent) | 9.6**, 10.0**, 12.0, 20.0 | Microsoft Windows |
| Trend Micro Worry-Free Business Security (WFBS Standard and Advanced) | 10.0 | Microsoft Windows |
| Trend Micro Worry-Free Business Security Services | All (SaaS) | Microsoft Windows |
It is crucial to verify the versions of Trend Micro products you are currently using to determine if you are impacted.
Minimum Windows OS Levels Required
To maintain compatibility, your Microsoft Windows operating systems need to be updated to the minimum levels specified by Microsoft. These updates ensure support for the new Authenticode Code Signing (ACS). Below are the minimum required OS levels as of December 22, 2022, based on Microsoft KB5022661:
| PLATFORM and VERSION | MS KB NUMBER | INITIAL RELEASE DATE |
|---|---|---|
| Windows 11 Windows 10 22H2 | Supports ACS by Default – no further action required | |
| Windows 10 21H2 | 5011487 (for 21H2 build older than 19044.1586) | March 8, 2022 |
| Windows Server 2022 | 5005619 | September 27, 2021 |
| Windows 10 2004 Windows 10 20H2 Windows 10 21H1 | 5005611 | September 30, 2021 |
| Windows 10 1909 | 5005624 | September 21, 2021 |
| Windows 10 1809 Windows Server 2019 | 5005625 | September 21, 2021 |
| Windows Server 2016 | 5006669 | October 12, 2021 |
| Windows 10 1507 | 5006675 | October 12, 2021 |
| Windows 8.1 Windows Server 2012 R2* | 5006714 (Monthly rollup) 5006729 (Security-only rollup) | October 12, 2021 |
| Windows Server 2012* | 5006739 (Monthly rollup) 5006732 (Security-only rollup) | October 12, 2021 |
| Windows Server 2008 SP2 | 5006736 (Monthly rollup) 5006715 (Security-only rollup) | October 12, 2021 |
| Windows 7.0 SP1 (ESU) Windows Server 2008 R2 (ESU) | 5006743 (Monthly rollup) 5006728 (Security-only rollup) See Below (Impact – Windows 7)** | October 12, 2021 |
| Windows Server 2000 Windows Server 2003 Windows XP | See Below (Impact – Legacy OS for Deep Security)*** |
Ensure your systems are updated to these minimum levels to avoid potential disruptions.
Impact of Not Updating Windows OS
If your Windows OS is not updated to the minimum builds or patches by mid-February 2023, you may encounter issues. Specifically, Trend Micro security agent services might fail to start after applying a binary update signed with the new ACS.
- New Installations: Fresh installations of Trend Micro solutions using software versions released before mid-February 2023 are not affected by these Windows patch requirements.
- Existing Customers with Patches: Customers who have already applied the necessary Windows patches through regular maintenance will experience no impact when applying new Trend Micro patches or updates after mid-February.
Trend Micro is proactively implementing agent-side protections. These measures will warn or automatically prevent installations of ACS-signed binary updates on systems lacking the required Windows patches, further safeguarding your environment.
Considerations for Windows Server 2012 and 2012 R2*
Microsoft has ended regular support for Windows Server 2012 and 2012 R2 since October 10, 2023. If you do not have a Microsoft Extended Security Update (ESU) contract, you will no longer receive regular security updates directly from Microsoft.
Crucially, even without a Microsoft ESU contract, your Trend Micro products will continue to receive vital detection and protection updates, including pattern files and IPS rules.
Trend Micro remains committed to providing the best possible support for these platforms. However, be aware that future advanced detection and protection functionalities may be limited if they necessitate underlying OS updates that are unavailable without an ESU. Trend Micro will provide timely notifications of any such changes to minimize potential disruptions.
Important Notes for Windows 7 and Windows Server 2008**
As previously stated, Trend Micro products will maintain protection and receive regular detection updates. However, future advanced feature updates (like Scan Engine or advanced detection modules) might require ACS-signed binaries and may not install correctly on unsupported or unpatched platforms. Trend Micro will strive to provide advance notice of such changes to prevent disruptions.
Consider these scenarios for Windows 7 and Windows 2008/2008 R2 support:
- Customers with Microsoft Extended Security Update (ESU) Contracts:
- If you still use Windows 7 or Windows Server 2008/2008 R2 (excluding Azure deployments), ensure you have an ESU agreement with Microsoft to obtain necessary patches, as the official ESU ended in January 2023.
- Minimum requirements for Windows 7 are covered by KBs: KB4474419 and KB4490628.
- Reminder: Trend Micro is ending official support for Windows 7 on Apex One and WFBS, aligning with Microsoft’s ESU end in January 2023. Refer to: Trend Micro’s Official Position on Microsoft Windows 7 End-of-Support (EOS) for Business Endpoint Products.
- Customers without Microsoft Extended Security Update (ESU) Contracts:
- If you are on Windows 7 and Windows 2008 without ESU contracts or cannot apply the necessary Microsoft security updates for ACS support, you will still receive protection through detection pattern updates and IPS rules, depending on your product.
Assess your Windows 7 and Server 2008 environment and ESU status to understand the support implications.
Legacy OS Support for Deep Security***
Trend Micro has provided best-effort support for Deep Security versions 9.6 and 10.0 agents protecting legacy operating systems, including:
- Windows Server 2000
- Windows Server 2003
- Windows XP
Due to Microsoft’s lack of security patches for ACS signing on these legacy platforms, Trend Micro cannot provide new binaries for hotfixes, patches, or vulnerability fixes for agents on these platforms after February 2023. This limitation is due to an OS-level requirement from Microsoft and is beyond Trend Micro’s control.
Detection updates like pattern files (for anti-malware) and IPS rules will continue on these legacy platforms. Trend Micro will continue best-effort support for other issues but will be limited in resolving problems requiring code changes.
This policy supersedes all prior communications regarding Deep Security legacy OS support.
Important Certificate Authority (CA) Information
If you disable “trusted root CA auto updates” or operate in air-gapped or locked-down environments, you must manually apply the Microsoft Identity Verification Root Certificate Authority 2020 if you haven’t already.
Trend Micro endpoint customers needing guidance on manual CA application or assistance tools can consult this Trend Micro KB article.
Need Further Assistance?
For any questions or concerns, please contact Trend Micro Technical Support for expert assistance.
Micro Servers and OS Compatibility: A Critical Consideration
While this article focuses on general Windows server environments, the principles are equally critical for Micro Servers. Often deployed in resource-constrained or edge computing scenarios, micro servers rely heavily on efficient and compatible software. Ensuring your micro server operating systems are updated to meet these minimum requirements is paramount for maintaining both security and operational continuity when using Trend Micro products. Neglecting these updates can lead to service disruptions, leaving your micro server infrastructure vulnerable. Therefore, proactive patch management and OS updates are essential for robust micro server deployments protected by Trend Micro.
