Affected Products
| PRODUCT | AFFECTED VERSIONS | PLATFORM |
|---|---|---|
| Trend Micro Apex One | 2019 (All On-prem) | Microsoft Windows |
| Trend Micro Apex One as a Service | All (SaaS) | Microsoft Windows |
| Trend Micro Cloud One – Workload & Endpoint Security (Agent) | All | Microsoft Windows |
| Trend Micro Deep Security (Server / Agent) | 9.6**, 10.0**, 12.0, 20.0 | Microsoft Windows |
| Trend Micro Worry-Free Business Security (WFBS Standard and Advanced) | 10.0 | Microsoft Windows |
| Trend Micro Worry-Free Business Security Services | All (SaaS) | Microsoft Windows |
Minimum Windows OS Levels (updated as of 12/22/2022 from MS KB5022661)
| PLATFORM and VERSION | MS KB NUMBER | INITIAL RELEASE DATE |
| Windows 11 Windows 10 22H2 | Supports ACS by Default – no further action required | |
| Windows 10 21H2 | 5011487 (for 21H2 build older than 19044.1586) | March 8, 2022 |
| Windows Server 2022 | 5005619 | September 27, 2021 |
| Windows 10 2004 Windows 10 20H2 Windows 10 21H1 | September 30, 2021 | |
| Windows 10 1909 | 5005624 | September 21, 2021 |
| Windows 10 1809 Windows Server 2019 | 5005625 | September 21, 2021 |
| Windows Server 2016 | 5006669 | October 12, 2021 |
| Windows 10 1507 | 5006675 | October 12, 2021 |
| Windows 8.1 Windows Server 2012 R2* |
5006714 (Monthly rollup) 5006729 (Security-only rollup) | October 12, 2021 |
| Windows Server 2012* |
5006739 (Monthly rollup) 5006732 (Security-only rollup) |
October 12, 2021 |
| Windows Server 2008 SP2 |
5006736 (Monthly rollup) 5006715 (Security-only rollup) | October 12, 2021 |
| Windows 7.0 SP1 (ESU) Windows Server 2008 R2 (ESU) |
5006743 (Monthly rollup) 5006728 (Security-only rollup) See Below (Impact – Windows 7)** | October 12, 2021 |
| Windows Server 2000 Windows Server 2003 Windows XP | See Below (Impact – Legacy OS for Deep Security)*** |
Impact
Customers who do not have the minimum OS build/patch of Microsoft Windows beginning in mid-February 2023 may encounter errors where the Trend Micro security agent service(s) would fail to start after applying an updated binary signed with ACS.
- New installs of Trend Micro solutions can be performed with the latest version of the software released before Mid-February 2023 without taking into consideration these minimum Windows patches.
- Customers who have already applied the necessary Windows patches above through regular patch maintenance will see no impact when applying new patches or updated binaries after Mid-February.
Trend Micro is also looking to apply agent protections before the Mid-February cutover that will warn or automatically prevent users who do not have the minimum Windows patch requirements from installing an ACS-signed binary update.
* Windows Server 2012 and 2012 R2.
Microsoft ended regular support for Windows Server 2012 and 2012 R2 as of October 10, 2023, meaning customers who do not have Microsoft Extended Security Update (ESU) contracts will no longer be receiving regular security updates from Microsoft directly.
Regardless of whether or not a customer has a Microsoft ESU contract, Trend Micro products will still receive regular detection/protection updates such as pattern files and IPS rules.
Trend Micro will continue to try and provide support as best as best as possible for this platform, but please be aware that future functionality in the form of updated or new advanced detection and protection may be limited for customers that do not have ESUs if there are requirements for underlying OS updates. In this event, Trend Micro will try and give as much advanced notice as possible of any changes to avoid potential disruption.
** Windows 7 and Windows Server 2008.
As noted above: Trend Micro products will continue to protect customers and will still receive regular detection/protection updates such as pattern files and IPS rules. However, if despite our best efforts, there are future threats or significant updates to the surrounding landscape, Trend Micro future updates to advanced features (e.g. Scan Engine or other advanced detection modules) may require ACS signed binaries and may not properly install on unpatched or unsupported platforms. In this event, Trend Micro will try and give as much advanced notice as possible of any changes to avoid potential disruption.
Please note the following scenarios regarding Microsoft Windows 7 and Windows 2008/2008 R2 support:
- Customers with Microsoft Extended Security Update (ESU) Contracts
- Customers who still have Windows 7 and Windows Server 2008/2008 R2 (Not in Azure) deployed will need to ensure that they have an ESU agreement with Microsoft to obtain the patches necessary since the official ESU date ends in January 2023.
- The following KBs cover the necessary minimum requirements for Windows 7: KB4474419 and KB4490628.
- REMINDER: in accordance with Microsoft’s ending of ESU in January 2023, Trend Micro will be ending all official support for Windows 7 on Apex One and WFBS. Please refer to the following announcement for further details: Trend Micro’s Official Position on Microsoft Windows 7 End-of-Support (EOS) for Business Endpoint Products.
- Customers without Microsoft Extended Security Update (ESU) Contracts
- Customers on Windows 7 and Windows 2008 that do not have ESU contracts or cannot otherwise apply the necessary Microsoft security updates to enable ACS support will still receive protection in the form of detection pattern updates or IPS rules depending on the product used.
*** Legacy OS for Deep Security
Trend Micro had originally communicated and continues to provide best effort support for Deep Security versions 9.6 and 10.0 agents protecting legacy operating systems including:
- Windows Server 2000
- Windows Server 2003
- Windows XP
Unfortunately, since Microsoft has not provided any official security patches to enable the ACS signing requirement on these legacy platforms, Trend Micro will no longer be able to provide new binaries for hotfixes, patches or vulnerability fixes for agents running on these platforms after February 2023. This is an operating system level requirement from Microsoft and out of Trend Micro's control. As mentioned above, regular detection updates such as pattern files (for anti-malware) and IPS rules will continue to be updated on these platforms, and Trend Micro will continue to try and provide best effort support for all other issues on these platforms but will be limited to resolve any issues that may require code changes.
Please note that this policy will supersede all previous policies communicated on Deep Security legacy OS support for these platforms.
Important Information Regarding the Certificate Authority (CA)
Customers who do not allow “trusted root CA auto updates” or are in air-gapped or otherwise locked down environments will also have to ensure they apply the Microsoft Identity Verification Root Certificate Authority 2020 if they have not already done so.
Trend Micro endpoint customers needing more information on applying this CA manually or are looking for a tool to assist can refer to this Trend Micro KB article for more information.
Additional Assistance
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.