Windows BSM: Tightening App Trust & Code Signing

#security #cybersecurity #software #microsoft

The New Update

With an ever-increasing demand for additional security from today's technology platforms, Microsoft is implementing several new measures to build a more robust ecosystem by default.

The most notable of these enhancements is the Windows Baseline Security Mode (BSM), which is one of several initiatives that the company is pursuing in order to provide greater runtime integrity, more restrictive execution controls, and better methods for establishing an application's trustworthiness when it is running on the platform.

While those changes affect an organisation's software configuration in considerable ways, they will also significantly affect its software publishing and development practices, including software release processes, signing practices, and overall software lifecycle management.

Introducing Secure-by-Default Execution

The Baseline Security Mode is designed to provide runtime Integrity assurances. The model limits execution to authorised applications, services, and drivers only to prevent tampering and unauthorised changes to systems. This will help ensure that systems remain intact while also giving administrators the ability to grant exceptions when operational requirements dictate flexibility.

In terms of the practical side, it is apparent; Trust must be verifiable.

This is consistent with Microsoft's expressed intention regarding the visibility of enforcement:

Developers can verify whether there are currently any active protections as well as the exception granted to developers, to understand how and when their applications will be running, according to Distinguished Engineer, Microsoft VP Logan Iyer.

As an implication of this direction, expect Trust Enforcement to be verifiable and auditable within the runtime; therefore, there will be more expected friction or outright blocks to Unsigned and/or poorly managed binaries.

Code Signing will Become Mandatory

There are already operational impacts at many organisations that either develop or distribute software:

Unsigned applications will become blocked by default policy baselines.
Execution policies continue to move to certificate-based trust chains.
Code signing must be an integral part of the developer/release pipelines.

Code signing is now integral for any applications that have historically been delivered without code signing. This will increase the costs (both monetary and time/effort) for independent or hobbyist developers as they will need to utilise code signing certificates or risk having their applications blocked based on policy.

As such, organisations will need to implement a system to manage code signing (such as a certificate management process) as well as a certificate rotation/revocation policy.

In practice, this will require organisations to integrate certificate provisioning, signing automation, and compliance with CI/CD workflows, as opposed to viewing them as an option for future use.

Baseline Security Mode in Microsoft 365 Environments

While Windows enforcement focuses on runtime integrity, BSM also appears within Microsoft 365 administration contexts, emphasising configuration hardening at the tenant level.

Microsoft has begun rolling out Baseline Security Mode through the Microsoft 365 Admin Center, where it bundles recommended configurations across collaboration and identity services into a single management dashboard. Administrators can assess vulnerabilities, simulate changes, and apply policies gradually rather than forcing immediate disruption.

Characteristics:

Coverage of roughly 18-20 policies spanning authentication, application, and file protection domains
Enforcement of phishing-resistant MFA methods for administrators
Blocking of legacy protocols and risky behaviors, such as insecure document paths
Phased activation through simulation reports and approval workflows

These controls are designed to surface configuration gaps early and reduce exposure to credential attacks and misuse scenarios.