MS owned DLLs failing WDAC policy

Tim Brigham 1 Reputation point
2021-08-13T18:57:24.623+00:00

I'm working on a WDAC / Code Integrity policy for my Win 10 workstations. Around 500 unique MS owned DLLs in the C:\Windows\system32 directory are failing the check, CI event 3091. I fed the list into get-authenticodesignature to see what they have in common. They are all signed and should pass with the generic allowmicrosoft.xml policy.

They all have the same subject and issuer, but a few different serials and dates.

[Subject]
  CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
  CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  

I looked at allowmicrosoft.xml makes use of well known values so I can't readily check why this is occurring. It feels like I'm missing something blatant here.

<Signer ID="ID_SIGNER_MICROSOFT_PRODUCT_1997_0" Name="MincryptKnownRootMicrosoftProductRoot1997">
  <CertRoot Type="Wellknown" Value="04" />

I've tried scanning these with get-systemdriver using a variety of flags. I even tried sigcheck, tracking down the catalog file, exporting the certificates manually and using Add-SignerRule into a new policy.

No matter what I do it skips over the certificates. What am I missing?

Windows 10 Compatibility
Windows 10 Compatibility
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Compatibility: The extent to which hardware or software adheres to an accepted standard.
459 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,780 questions
{count} votes