![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 88%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGC%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 72%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
Hello Gambo Cheung,
Welcome to Microsoft Q&A forum.
While the key will only be fully removed in Feb 2027 updates, the deprecation has already started. While the key apparently still exists, it is no longer functioning reliably. The retirement of the key will be gradually rolls out over the course until Feb 2027, when the key is fully removed.
Due to that, the behavior of the apps you see is actually expected. Initially, the certificate availability will still allow CSP-style. But when it's refreshed, the certificate might be registering KSP only. If your apps still only ask for CSP, that when it fails.
In this case, the only reliable way to go forward is that ActiveX will need to be updated to align with the changes. As set DisableCapiOverrideForRSA value to 0 will be eventually ignored when the deprecation is being enforced.
Thank you for your understanding.