Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

WDAC Can't whitlist .sys driver

Copper Contributor

We have implemented the WDAC Policy. It works so far, but I have a problem with two drivers. They are things I can't solve. It is a smart card reader by Reiner (file cjusb.sys). This file is signed, but it seems that Windows Policy control doesn’t accept or doesn’t understand this signature.
I have similar problems with Bloomberg application files, but after I signed them with my signature ist works without problems. But this file is blocked by WDAC even if I signed it.
Probably somebody confronted with similar problems, can give me advice for additional debugging or a clue how I can solve this issue.

2 Replies
Bloomberg software I have seen people still have to whitelist the entire directory of it for it to work properly. No matter what, Microsoft doesn't seem to like the certificates Bloomberg uses, and that has been true for a long while now.

I have found a reason why Windows Defender acts in this way. If a driver KMDF specified and non WHQL certified it will be blocked by defender regardless if it is signed. I talked yesterday with the provider and he gave me a UMDF driver. Now everything works.
For Bloomberg we have written a program which checks files against Bloomberg certificates and re-signs them if they qualify given criteria. Process takes about 3min and the user does accept this. After resigning Bloomberg works as expected.

I haven't opened any directories because it is difficult to monitor them all...