Summary
Box is updating how desktop applications verify application updates to improve security and better align with Microsoft best practices. Most customers will see no impact, but some environments require action by May 1 to avoid update failures.
What’s changing & why
Box is moving to Microsoft Azure Trusted Signing to sign application binaries across all Box desktop products starting :
- Box Drive (v 2.52)
- Box Tools (v 4.33)
- Box for Office (v 4.25)
- Box Sync (v TBD)
This supports additional protection against tampering, ensures updates are clearly verified as originating from Box, and aligns with Microsoft’s modern security standards—without changing the end-user update experience.
Impact to users:
For most organizations, there is no impact and updates will continue seamlessly. But for organizations where Microsoft Automatic Root Certificate Updates are disabled, devices that do not have the Microsoft Identity Verification Root Certificate Authority 2020 certificate will fail to auto-update. Users may also see trust or signature warnings, and updates will not install until the root certificate is present and trusted.
Action required (by May 1)
If your organization disables Microsoft root certificate updates:
- Check if Microsoft Identity Verification Root Certificate Authority 2020 exists in the Trusted Root Certification Authorities store
- Deploy the certificate via your device or certificate management solution if it is missing
- Contact Box Support or your account team if deployment is not possible or your run into issues