Applocker Rules and Root Certificate Dependency
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 65%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
EuroEager2008
171
Reputation points
Using Applocker rules with Publisher conditions, which are based on digitally signed executable files.
The signatures are timestamped (countersigned) within the code signing certificate's validity period. When implemented correctly, everything functions well. However, a question arises regarding the dependency on root certificates, whether directly or indirectly linked (via intermediate certificates) to the signature.
Does Applocker require a valid trusted root certificate to allow or deny a signed file execution, or does the timestamp ensure the rule's outcome indefinitely? Specifically, does the expiration or revocation of the trusted root certificate impact Applocker, as long as the signature is timestamped as described?
An authoritative answer on this matter would be greatly appreciated.
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Sign in to answer