This section describes certificate approvals and bans, and how they affect file state.
The following information is a summary of the certificate approval and ban features:
- Certificate Approval Settings
- The System Configuration page has Advanced Options that affect whether certain certificates can be globally approved.
- Manageable Certificate Types
- Regardless of configuration choices, not all discovered certificates can be approved or banned.
- Path Position and Agent Differences
- For the same certificate/publisher combination, different agents can have different certificate paths, and the path on the server may match some or none of those currently on the agents.
- Certificate State
- Approving or banning a certificate (or removing approvals and bans) determines Certificate State for a specific certificate for a specific publisher.
- Certificate Global State
- Other factors interact with Certificate State to determine the Certificate Global State, which is its effective state.
- Impact on File State
- Certificate Global State interacts with other rules and states to determine the state of a file signed by a particular certificate or one of its children.
- Certificate Ban Setting
- Each computer’s Policy has an Advanced Setting that determines whether certificate bans are effective.
When you approve or ban certificates you must specify the state in each publisher for which you want the approval or ban to be effective.
Note: To approve a file on Windows agents (the only agents these features apply to), all certificates in the certificate chain for that file must be considered valid by Windows. For example, current root certificates must be installed for a certificate to be accepted.