Beginning in mid-February 2023, the cross-signing certificate used in the products listed below will expire and cannot be renewed. Any konsumen wishing to apply a new patch, hotfix, or updated product binary to any of the Trend Micro products listed below must be running a version of Microsoft Windows that has been updated to support the Azure Code Signing (ACS) program, which replaced the deprecated cross-signing program.

These Windows updates were first introduced in September and October 2021 and have been subsequently included in Microsoft’s monthly quality updates. Customers who receive monthly quality updates are already covered.

Microsoft’s official KB with additional information on this can be found here (KB5022661).

In addition to applying the necessary Windows security patch to enable ACS support, companies that do not allow “trusted root CA auto updates” or are running in air-gapped or otherwise locked down environments should also read the section below titled Important Information Regarding the Certificate Authority (CA).

In environments without Microsoft security patches to enable ACS, Trend Micro products will continue to protect customers and will still receive regular detection/protection updates such as pattern files and IPS rules. However, if despite our best efforts, there are future threats or significant updates to the surrounding landscape, Trend Micro future updates to advanced features (e.g. Scan Engine or other advanced detection modules) may require ACS signed binaries and may not properly install on unpatched or unsupported platforms. In this event, Trend Micro will try and give as much advanced notice as possible of any changes to avoid potential disruption.

Impact
Customers who do not have the minimum OS build/patch of Microsoft Windows beginning in mid-February 2023 may encounter errors where the Trend Micro security agent service(s) would fail to start after applying an updated binary signed with ACS.

New installs of Trend Micro solutions can be performed with the latest version of the software released before Mid-February 2023 without taking into consideration these minimum Windows patches.
Customers who have already applied the necessary Windows patches above through regular patch maintenance will see nomer impact when applying new patches or updated binaries after Mid-February.
Trend Micro is also looking to apply agent protections before the Mid-February cutover that will warn or automatically prevent users who do not have the minimum Windows patch requirements from installing an ACS-signed binary update.