I’m working on WDAC / windows defender application control policy. Around 80% of what I have left is from system32 DLL files, hundreds of them. Windows 10 client systems, mostly 20h2.
The base policy is about as stock as you can get. Allow MS using allowmicrosoft.xml sample policy, the recommended best practice block drivers & apps, and SCCM. The DLLs are failing are MS signed but are coming back with event 3091 failures that will be blocked when going to enforcement mode.
All the DLLs failing share these certificate attributes.
[Subject] CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
I added the certs on the chain to a blank policy using
Add-SignerRule -CertificatePath .signature1.cer -user -kernel -update, and merged them. These certificates should definitely exist now, even if they weren’t part of allowmicrosoft.xml for some reason.
The check still fails, even after a policy refresh. What am I missing?