MicrosoftFor CertPadding i now see that there is a GPO piece to set it. Previously we had to do this with a registry key (via GPO). I wonder if both ways are backwards compatible with each other. Because, if we remove our registry based fix and set it as new GPO setting, will it work? Will new GPO setting set same registry path essentially? Or maybe we can leave both on? As Windows 10 and Windows 11 22H2 (we still have those) will not support new GPO and then registry should work for them?
The GPO setting configured through the "MS Security Guide" administrative template actually works better than the previously-published registry hack. Details here:
Enable Certificate Padding Check: REG_SZ or REG_DWORD? | by Aaron Margosis | Medium
I think i have mistaken some settings in policy comparison as WinVerifyTrust. It seems that there is no new setting for this (i mean a GPO setting), but still the registry change that is required (which can be done via Registry section of GPO, which we did). We are using REG_SZ (string) as this what was recommended on MS article at the point of implementing it. Qualys is still happy, so we are happy too. And it is working. Recently one new software vendor was having issues providing us newly built binaries with their toolset. Because they had some modifications in the padding and signature was missing. As WinVerifyTrust fix was done years ago and we didn't know what issues it can cause (nothing similar was reported in years), it was a mystery to figure out what is happening. Binary would look fine on our home PCs, but not when downloaded to a work PC. Which is curious, that home users are not protected from this. I wonder when MS will flip a switch on this one and build it into OS with updates.
Interesting situation! I think it really matters only when you're restricting execution based on file signatures. Windows does not do that by default, and will allow you to execute files with missing or even invalid signatures.
I don't know whether it was not running or not. It was a binary for a POS system, so i haven't even tried to run it. Because main issue reported was missing signature, so we focused on that. Maybe they were doing some validation based on signature. That was the first and only real world case after enabling that registry a few years ago.
