[FIXED] Windows Defender Application Control can cause bluescreening

PLEASE NOTE THAT THIS ISSUE HAS NOW BEEN FIXED BY THE MICROSOFT PRODUCT GROUP. THIS BLOG IS NOW INFORMATIONAL ONLY.

I’ve been working with Windows Defender Application Control (WDAC) a lot recently and come across a few undocumented bugs that might be worth knowing about, one of which I’ll write about here, and another in a future blog. Microsoft are currently working on both issues in the Product Group, so these blogs may soon be struck down and rendered irrelevant, but until then, I’d like to describe the issues and the workarounds to save fellow engineers the grief.

Symptoms

• Devices using WDAC enforced policies sometimes bluescreen,

• The blue screen message is ‘Stop Code: CRITICAL_STRUCTURE_CORRUPTION’, referencing the .dll ‘CI.DLL’,

• Removing the WDAC policy stops the bluescreens from occurring.

When I was researching these bluescreens I was googling frantically and found almost nothing. I’ll include my search terms - perhaps you arrived at this article because you used the same verbage? (Hopefully - that would be a real win for metadata and ‘tags’ used in blog posts!)

“Bluescreen critical_structure_corruption ci.dll”,
”ci.dll bluescreen codeintegrity”,
”Bluescreen caused by WDAC”.

CI.dll is the ‘Code Integrity’ module on Windows, and it relates directly to Device Guard / WDAC - Code Integrity is the name of the Event Log used by WDAC, for example. Naturally I suspected my own policy - I must have misconfigured it, or my workstations, or used a combination of other security features that conflicted with it.

I dusted off my copy of WinDbg and looked through the minidump files that you find in ‘C:\Windows\Minidump’ after a bluescreen. I didn’t happen upon anything particularly interesting. I also tried simplifying my policy options and removing any DENY rules that might have blocked a driver, causing a kernel error like the above, but no such luck.

 ‘Pass’ on WDAC Option 16

We reached out to Microsoft and got the information we needed from an experienced Microsoft support engineer who knew a great deal about WDAC. They took our bluescreen .dmp files and came back with confirmation that we are now linked to a known issue under investigation with the Product Group, with a fix forthcoming in a few months.

The issue is as follows, relating to WDAC option 16:

<Option> Enabled: Update Policy No Reboot </Option>

This ‘Option’ currently has a bug which can cause a bluescreen when applying updated WDAC policies on a machine that is already using an Enforced policy.

That is my understanding of it, and the workaround is simple. Set your policy Option 16 to disabled until further notice. I’ll keep you posted if it gets fixed by updating the blog.

<Option> Disabled: Update Policy No Reboot </Option>

That’s it! We’re not all crazy, we’re not doing it wrong* - it’s just a bug this time.

*though WDAC is hard to get right!