WDAC - Allowing module (DLL) not working - FMAPO64.dll

Ian V 1 Reputation point
2021-06-21T00:22:51.257+00:00

Howdy all,

Currently building Windows Defender Application Control (WDAC) for my pilot environment.
Windows 10 x64 20H2, Azure AD, Endpoint Manager (Intune).

I have a WDAC policy in place which allows C:\Windows*.
This should cover this file, but I am getting a log in Event Log every second.

Event Log: Microsoft-Windows-CodeIntegrity/Operational
Event Source: CodeIntegrity
Event ID: 3033
Message: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\audiodg.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\FMAPO64.dll that did not meet the Enterprise signing level requirements.

The DLL file in question, FMAPO64.dll, this file came with Windows 10 (or was downloaded via Update).
It has several Digital Signatures, and a few of them say they're valid.
[Digest algorithm] - [Timestamp] - [Valid] - [Valid to]
sha256 - 2020-06-23 5:40:08 PM - No (This certificate has expired or is not yet valid) - 1/02/2021
sha256 - 2020-09-04 6:57:33 PM - Yes - 6/03/2021
sha256 - 2020-08-28 4:22:05 PM - Yes - 6/03/2021
sha256 - 2020-08-21 6:25:18 PM - Yes - 6/03/2021
sha256 - 2020-08-06 12:41:29 PM - No (This certificate has expired or is not yet valid) - 1/02/2021
sha256 - 2020-07-24 5:28:41 PM - Yes - 6/03/2021
sha256 - 2020-06-29 1:13:27 PM - Yes - 6/03/2021

I have even added a rule via New-CIPolicyRule -DriverFilePath .\FMAPO64.dll -Level FileName -AppID .\audiodg.exe, which appears to use the OriginalFilename from each file (I doubt that's an issue), but the Event Log is still generated.

I am hesitant to create a Hash rule as this file may update in the future.

What can I do?
My Event Log is filled with this log every second, and fills up my log, preventing meaningful troubleshooting of all my other policies.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,408 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 17,881 Reputation points
    2021-06-21T17:15:12.497+00:00

    @Ian V Kindly note Windows Security is currently not supported on Microsoft Q & A Community Platform. For expert assistance on your issue, I would suggest you to post your question on Windows Security Community Forum.

    0 comments No comments