question

TimBrigham-0422 avatar image
0 Votes"
TimBrigham-0422 asked USNOOZEYULOOSEY-9159 commented

MS owned DLLs failing WDAC policy

I'm working on a WDAC / Code Integrity policy for my Win 10 workstations. Around 500 unique MS owned DLLs in the C:\Windows\system32 directory are failing the check, CI event 3091. I fed the list into get-authenticodesignature to see what they have in common. They are all signed and should pass with the generic allowmicrosoft.xml policy.

They all have the same subject and issuer, but a few different serials and dates.

 [Subject]
   CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
 [Issuer]
   CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

I looked at allowmicrosoft.xml makes use of well known values so I can't readily check why this is occurring. It feels like I'm missing something blatant here.

 <Signer ID="ID_SIGNER_MICROSOFT_PRODUCT_1997_0" Name="MincryptKnownRootMicrosoftProductRoot1997">
   <CertRoot Type="Wellknown" Value="04" />

I've tried scanning these with get-systemdriver using a variety of flags. I even tried sigcheck, tracking down the catalog file, exporting the certificates manually and using Add-SignerRule into a new policy.

No matter what I do it skips over the certificates. What am I missing?

windows-10-securitywindows-10-application-compatibility
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

When doing my scans as FilePublisher, I had success except for the following 2 dll's:
pcadm.dll
pcasvc.dll

I did also start getting issues recently on SCCM updates that werent signed from MS.

I hope MS start to sign these things properly and have list to track them.

0 Votes 0 ·

0 Answers