What’s past is prologue: When code-signing in Windows 11 goes bad

Once upon a time in technology, many years ago, Microsoft previewed server software to great fanfare at a meeting of IT pros. The company demonstrated how easy it was to use the software, which would automatically install the server, email server, and Sharepoint server — all in less than 30 minutes.

There was one problem: every time Microsoft went to demonstrate the server software, it would fail with an unclear error message.

Back then, I would sometimes post and answer questions in a Microsoft newsgroup. Just before Thanksgiving, I started seeing consultants trying to install the software see the same failure. One person in the forum thread figured out the issue: a specific SharePoint dll file used during the installation had a Nov. 23 expiration date. If you installed the server software before that date, you had no issues. If you tried to do it after, the installation would fail. The workaround? Go into the bios of the server, set the date back to before Nov. 23, install the software, then set the clock back to the correct time.

If you know anything about Active Directory domain controllers, you know that changing dates and times isn’t usually wise. Fortunately, the servers suffered no ill effects and — other than egg on their faces for a less-than-ideal product release in Australia —Small Business Server 2003 went on to further acclaim.

Why am I relaying  this story now? Because it shows that release bugs in new tech are nothing new. Microsoft uses a process of code signing files to validate and verify that files are legitimate. If the certificate isn’t valid or has expired, the operating system or specific files may not work. And that’s why reports starting popping up last week about a certificate that unexpectedly expired, triggering issues with applications in Windows 11. (The company pushed out a patch to correct the issue Friday; more information about that below.)

Affected PCs running either Windows 11 Home or Pro had issues with the following applications:

  • Touch Keyboard, Voice Typing, and Emoji Panel;
  • Input Method Editor user interface (IME UI);
  • Getting started and Tips;
  • Snipping Tool.

Users running Windows 11 S mode (a specific Home version that allows you to install software only from the Microsoft Store), may also have seen issues with the Accounts page and landing page in the Settings app and then Start menu.

As Matt Graeber pointed out on Twitter: “The MinCryptVerifyCertificateWithPolicy2 function in ci.dll returns STATUS_IMAGE_CERT_EXPIRED when a file is preview build signed _and_ the cert is expired.”

Bottom line, Microsoft used beta, or in this case Insider edition code, in the final version of Windows 11 — and the certificate on the code expired Oct. 31. Not only that, but the code was signed by the Microsoft Development Certificate Authority. Graeber went on: “Where I feel more comfortable speculating now is that failing to load expired preview build code is intentional in order to make the OS inoperable to users attempting to use preview versions of the OS indefinitely.”

Code signing is important. It’s one of the reasons Microsoft can break up security patches into pieces and use technology such as delivery optimization techniques that allow them to be delivered either directly from Microsoft or from shared computers in your peer-to-peer network. The pieces are then recombined — and the code is validated to ensure it has not been tampered with. You can obtain your patches from anywhere and the platform will always confirm that the patch you install is valid Microsoft code and has not been tampered with.

Normally, when Microsoft releases a final product, it removes the developer certificates and replaces them with the final signing process.

While there was a preview patch for Windows 11 that dealt with most of the issues, Microsoft helpfully released an out-of-band patch on Friday to fix the problem. KB5008295 should “completely resolve a set of issues affecting the Snipping Tool, Touch Keyboard, some built-in apps and S Mode on Windows 11,” the company said on Twitter.

More detailed info is available here.

At Askwoody.com we use the “MS-DEFCON process” for patching recommendations. Using a scale of one to five ,we let people know when it’s safe to install updates. (A 1 means no updates should be installed; a 5 means all is clear.) I was recently asked when we would start including Windows 11 in the MS-DEFCON system. While I track updates to Windows 11 because it’s now considered a “released product,” I still consider it to be in the early testing phase; I don’t recommend that it be installed on production systems. 

While Windows 11 will recover from this code-signing problem, it still points out why Microsoft’s new OS  should be considered only for testing. Clearly, Windows 11 needs a bit more time for bugs to be worked out.

The good news in this era of Windows updates is that Microsoft didn’t have to manufacture new installation CDs to deal with this problem. It was a fairly quick and easy fix. But I still find it noteworthy that even with new code development processes and procedures over the past two decades, bugs like this still crop up.