Introducing Azure Code Signing (ACS) Requirements: Ensuring Secure Endpoint Protection
In today’s digital landscape, ensuring the authenticity and integrity of software code is paramount. Read on to find out how it affects you.
Azure code signing plays a crucial role in establishing trust and preventing unauthorised tampering. Recognising this, Microsoft recently introduced a significant update in late 2021, bringing Azure Code Signing (ACS) requirements to various versions of the Windows Operating System.
In this blog post, we’ll delve into the details of this update and how it affects Endpoint Protection vendors on Windows platforms – most specifically Sophos – as an Endpoint Protection vendor whose solutions we deploy as a Sophos Gold Partner.
Understanding Azure Code Signing (ACS)
Azure Code Signing (ACS) is a framework introduced by Microsoft to enhance code security and establish trust in software distribution. By digitally signing software code, Azure Code Signing verifies the authenticity of said software code and ensures that it has not been modified by unauthorised sources. This helps protect end-users from potential malware, tampering, or other security risks.
Mandatory ACS Requirements for Endpoint Protection Vendors
Microsoft has made Azure Code Signing mandatory for Endpoint Protection vendors on Windows platforms. This means that vendors – such as Sophos – need to comply with ACS requirements to ensure their solutions meet the necessary standards for code signing. By doing so, vendors can provide enhanced security to end-users and protect against potential threats.
Sophos Intercept X and Intercept X for Server: Compliant with ACS:
As an industry leader in Endpoint Protection, Sophos is committed to delivering top-notch security solutions. In line with the ACS requirements, Sophos Intercept X and Intercept X for Server, in their upcoming releases, will be fully compliant with ACS. This ensures that Sophos customers can continue to enjoy the highest level of protection while benefiting from the added layer of trust established through code signing.
Considerations for Windows Updates:
If you regularly apply Windows Updates to your Endpoints and Servers, the introduction of ACS requirements will not impact you. However, it’s essential to be aware that new installations and updates may encounter issues if your Windows device is not running a version that complies with ACS. It is recommended to review your Windows environment and ensure compliance to avoid any potential interruptions during installations or updates. The below table lists the supported Windows Operating systems by version.
Impacted Operating Systems
Windows OS | ACS release support date | Microsoft Windows Update/ KB reference | Comments |
Windows 11 Windows 10 22H2 Windows 10 21H2 | NA | NA | Supports ACS by default and no action required |
Windows Server 2022 | September 27, 2021 | KB5005619 | |
Windows 10, version 2004 Windows 10, version 20H2 Windows 10, version 21H1 | September 30, 2021 | KB5005611 | Windows 10, version 2004 is retired and no longer supported by Sophos, see Sophos Endpoint and Server Protection: Previously supported platforms and operating system. Window 10, version 20H2 will retire end of May 2023. |
Windows 10, version 1909 | September 21, 2021 | KB5005624 | Windows 10, version 1909 is retired and no longer supported by Sophos, see Sophos Endpoint and Server Protection: Previously supported platforms and operating system. |
Windows 10, version 1809 Windows Server 2019 | September 21, 2021 | KB5005625 | |
Windows 10, version 1607 Windows Server 2016 | October 12, 2021 | KB5006669 | |
Windows 10, version 1507 | October 12, 2021 | KB5006675 | |
Windows 8.1 Windows Server 2012 R2 | October 12, 2021 | KB5006714 (Monthly rollup) KB5006729 (Security-only update) | *Legacy platforms not impacted at this point |
Windows Server 2012 | October 12, 2021 | KB5006739 (Monthly rollup) KB5006732 (Security-only update) | *Legacy platforms not impacted at this point |
Windows 7.0 SP1 Windows Server 2008 R2 | October 12, 2021 | KB5006743 (Monthly rollup) KB5006728 (Security-only update) | *Legacy platforms not impacted at this point |
Windows Server 2008 SP2 | October 12, 2021 | KB5006736 (Monthly rollup) KB5006715 (Security-only update) | Windows 2008 SP2 is retired and no longer supported by Sophos, see Sophos Endpoint and Server Protection: Previously supported platforms and operating system. |
*Note: Legacy platforms are not impacted yet as Sophos has not recently updated user mode Portable Executables on these platforms. From the 18th April 2023, new installations to operating systems that don’t support Azure Code Signing (ACS) will fail.
Still unsure where you stand?
At Fusion, we value our customers’ satisfaction and are committed to providing exceptional technical support. If you have any questions or require further assistance regarding Azure Code Signing requirements or any other security concerns, please don’t hesitate to contact your Fusion Account Manager. Our team is here to ensure the security of your business and address any inquiries you may have.