*driver* did not meet the Store signing level requirements – Windows 10 Code Integrity

This error message is related to Device Guard Code Integrity in Windows 10 and shows up in the Event Viewer under the Code Integrity folder. As of writing this article, the error message is not described in online documentation of Microsoft.

In the current scenario, the built-in Windows 10 apps like the Calculator, Alarms & Clock or the Photos app will instantly crash after opening it. This error message tells that the sysfer.dll is not trusted by Microsoft and therefore cannot interfere with the Alarms & Clock app. Sysfer.dll is the driver that Symantec Endpoint Protection uses with their Application & Device Control feature to control which processes are allowed to run.

Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1709.2621.1000_x64__8wekyb3d8bbwe\Time.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\sysfer.dll that did not meet the Store signing level requirements.

There are a couple of workarounds to ‘solve’ the issue:

  1. Use Device Guard Code Integrity: exclude the C:\Program Files\WindowsApps\* location from the Application & Device Control feature. If that doesn’t work (which I’m currently looking into), remove the Application & Device Control feature from the Symantec installation.
  2. Use Symantec Application & Device Control: disable User Mode Code Integrity by removing the “Enabled:UMCI” part in the CI Policy.

Even though Symantec states that they are fully supporting Code Integrity, I don’t see how that’s going to work out because Device Guard doesn’t trust the Symantec driver. I also tried to remove the “Required:Enforce Store Applications” option from the CI Policy which didn’t fix the issue. Even if you add the driver to your Code Integrity Policy which runs in Audit mode, it will not work. Otherwise it would show the following error message:

Afbeeldingsresultaat voor Windows 10 code integrity policy not trusted
Source: Microsoft Docs

“.. or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.”

Hope this explains the error message and the options you have.

Cheers!

3 thoughts on “*driver* did not meet the Store signing level requirements – Windows 10 Code Integrity

  1. Thanks for the post. Have you come across a workaround for this yet (save removing Symantec). Seeing the same issue, its really not ideal!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s