is there any reason for breaking 'Microsoft Root Certificate Authority' certificate in Windows 10 20H2 ?

Question

Hello,

it seems there is a problem which is broken ''Microsoft Root Certificate Authority' certificate in My customer's PC(Windows 10 20H2).

When they tried to install a printer driver which get signed with sha1 alorithm, the Windows 10 OS don't know the driver got the digitally signed.

They tried to install the printer driver using Add printer wizard and it showed 'it is not digitally signed'.(Sorry about chinese. they translated it.)

• printer driver download link from HP : https://h30438.www3.hp.com/pub/softlib/software13/printers/MFP130/HP_Laser_MFP_131_133_135-138_Driver.exe

But, we found out a driver which get signed with sha256 can be installed without no issue in the customer's windows 10.

So we tested this issue on several Windows 10 environment, but it didn't reproduce. the driver with signed sha1 can be installed on all our test Windows 10.
The add printer wizard showed ' the driver is digitally signed.'

we suspect this is one issue of 'Microsoft Root Certificate Authority' certificate. The certificate of customer's Window 10 doesn't have a compatibility for a driver with signed sha1 with any reason.

Could you know why Windows 10 don't allow the installing a driver with signed sha1 all of sudden ?

(FYI, )

I tried to reproduce similiar situation of it.

• from my test Windows 10, Remove the certificate forcedly and add it again using certmgr.msc => I reproduced this issue.
• from this site, I got an resolution and then I tried to perform(reinstall) Windows 10 in-place upgrade in my test PC as https://www.thewindowsclub.com/perform-windows-10-in-place-upgrade
  => fixed this issue

Answer 1

SHA1 is no longer accepted:
https://support.microsoft.com/en-us/topic/kb5003341-issues-you-might-encounter-when-sha-1-trusted-root-certificate-authority-expires-529ae5de-5419-4ae8-a7fc-6dedef110e6b