Forum Discussion

Copper Contributor

Nov 06, 2022

Microsoft recommended block rules for DLLs

Has anyone has experience working with the DLL rules. Currently we have implemented Microsoft recommended block rules and noticed it is blocking a lot of application dlls. The blocked dll is frho...

Intune

Rudy_Ooms_MVP

MVP

Nov 07, 2022

To be sure... are you using device guard or applocker... as that error that did not meet the Windows signing level requirements sounds like device guard (code integrity) And by the looks of it... did you configured some additional logging

Enable Code Integrity Event Logging and System Auditing - Windows drivers | Microsoft Learn

Livi_1

Copper Contributor

Nov 15, 2022

We're using device guard - windows defender application control (WDAC) along with a 3rd party endpoint detection (Malwarebytes). However we're running windows defender in passive mode.

Code integrity logs are enabled by default.

HotCakeX
MVP
Feb 28, 2023
Livi_1
Hi, the link you mentioned belongs to Applocker.

Microsoft recommended block rules are here:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

and I searched for the DLL file you mentioned and couldn't find it in there.

When using a 3rd party AV, I suggest turning on EDR in Microsoft Defender in Windows and set it to block mode:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide

More info about WDAC and its deployment methods: (you don't need Applocker when using WDAC as WDAC is superior and provides more protection)
https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction