Share via

MS owned DLLs failing WDAC policy

Tim Brigham 1 Reputation point
2021-08-13T18:57:24.623+00:00

I'm working on a WDAC / Code Integrity policy for my Win 10 workstations. Around 500 unique MS owned DLLs in the C:\Windows\system32 directory are failing the check, CI event 3091. I fed the list into get-authenticodesignature to see what they have in common. They are all signed and should pass with the generic allowmicrosoft.xml policy.

They all have the same subject and issuer, but a few different serials and dates. 

[Subject]
  CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
  CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

I looked at allowmicrosoft.xml makes use of well known values so I can't readily check why this is occurring. It feels like I'm missing something blatant here. 

<Signer ID="ID_SIGNER_MICROSOFT_PRODUCT_1997_0" Name="MincryptKnownRootMicrosoftProductRoot1997">
  <CertRoot Type="Wellknown" Value="04" />

I've tried scanning these with get-systemdriver using a variety of flags. I even tried sigcheck, tracking down the catalog file, exporting the certificates manually and using Add-SignerRule into a new policy.

No matter what I do it skips over the certificates. What am I missing?

Windows 10 Compatibility
Windows 10 Compatibility
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Compatibility: The extent to which hardware or software adheres to an accepted standard.
480 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,929 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.