Before you approve or ban a certificate, consider the impact to avoid an unexpected result.

When you view the Publisher Details page, the All Certificates for This Publisher panel shows all certificates in the path. You can approve or ban any of these certificates. Before doing that, however, consider the different impact of approving or banning at different points on the path.

Certificate paths for the same leaf certificate may vary on different agents, or between an agent and the server. This could occur when the same file is received from different sources, or when one computer has updaters enabled and another does not. Agents update their certificate paths over time to minimize these differences.

Because of the potential for path differences, approving or banning intermediary or root certificates might not have the results you expect. The following example shows the same leaf certificate (same Issuer and Serial Number) with different root certificates:

If you approved one of these roots and expected that to take care of all instances of the leaf, you would not see the desired results on all agents. Path differences might be less of an issue for internally signed certificates for which you control the entire certificate path.

To reduce certificate path variation, keep your certificate stores on agents and the server current. Also, make sure that operating system updaters and other key application updaters are allowed to run so that you have the latest versions of signed files.