symamsi.dll does not meet the Microsoft signing level requirements with / without LSA protected monitoring mode and Windows 11
search cancel

symamsi.dll does not meet the Microsoft signing level requirements with / without LSA protected monitoring mode and Windows 11

book

Article ID: 389706

calendar_today

Updated On: 03-03-2025

Products

Endpoint Security Endpoint Protection

Issue/Introduction

1/15/2025 14:51    Microsoft-Windows-CodeIntegrity/Operational    Error    CodeIntegrity    <customer domain>       3033    Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MpCmdRun.exe) attempted to load \Device\HarddiskVolume4\Program Files\Symantec\Symantec Endpoint Protection\14.3.9210.6000.105\Bin64\symamsi.dll that did not meet the Microsoft signing level requirements....

Environment

Windows 11
Local Security Authority (LSA) protection mode

Resolution

1) The event viewer code integrity messages will be logged when PPL processes (e.g. MPCmdRun.exe, SvcHost.exe etc.) tried to load symamsi.dll.
The event viewer logs are as expected since symamsi.dll for RUs is NOT Microsoft signed and doesn't meet AMPPL requirement, other vendors will have similar issues.

NOTE: The error messages will be logged whether system is in Local Security Authority (LSA) protected mode or not.

2) symamsi.dll is not in the LSA code path at all. So the error message shouldn't impact Local Security Authority (LSA) protection mode.
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

Additional Information

CRE-20569