M2 Installer Violates Code Integrity Policy on Win 11 Pro

[russ6100]

When I installed the 4.0.9.6648 M2 installer software over a week ago, it seemed rather uneventful - the familiar MOTU graphic that displays the sample rate showed up much like it did on my Win 7 box 4 ~ 5 years prior. Confidence was then further bolstered when the device played audio. Cool - I thought - now on to other issues (cuz Windows 11 - if you know - you know).

A few days passed before I decided to do some voice chatting but I had issues - no voice chat. All other "sounds" were fine but no voice.

I downloaded Audacity to test further. As soon as I pressed "record" - `Error: -9999`.

I'll spare you most of the details of my sleuthing but eventually I noticed in Device Manager that MOTU's audio drivers, though labeled `In 1 - 2 MOTU`, Out 1 - 2 MOTU` etc.. were in fact NOT MOTU drivers at all - they were Microsoft's.

I then uninstalled the drivers, rebooted the machine. With the M2 unplugged, I chose "Update Driver" then "Browse My Computer for Drivers" to direct Windows to the path to the .inf and .sys files in the MOTU folder. Without providing an error code or explanation, Windows refused.

I then uninstalled the rest of the MOTU software, rebooted and with the M2 unplugged, ran the MOTU installer once again.

This time, a real error:

"Unable to execute the temporary directory. Setup aborted. Error 4551: Your organization used Device Guard to block this app. Contact your support person for more info."

My machine is not part of an Enterprise or administered by anyone other than me. I also don't have Device Guard enabled.

Since then I've disabled a plethora of security features and have searched the Event Viewer for clues without luck.

Until tonight - under Event Viewer > Applications and Services Logs > Microsoft > Windows > CodeIntegrity

An error was logged (timestamp correlates with the last time I ran the MOTU installer):

"Code Integrity determined that a process (\Device\HarddiskVolume3\Users\User\MOTU M Series Installer (96648).exe) attempted to load \Device\HarddiskVolume3\Users\User\AppData\Local\Temp\is-C7ETB.tmp\MOTU M Series Installer (96648).tmp that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{0283ac0f-fff1-49ae-ada1-8a933130cad6})."

AFAIK, MOTU *DOES* bother to make sure their code is signed.

This policy might be one of the culprits:
`C:\Windows\System32\CodeIntegrity\driversipolicy.p7b`

I've tried to reach out to MOTU (as I've done successfully in the past via phone and Support Ticket), however, their web form for the Support Ticket malfunctioned and their tech line now directs you to their support portal on the web.

My bet is that someone at MOTU is familiar with this issue unless I'm the only person that's tried to install the M2 on Win 11 Pro.

Microsoft does provide documentation for their security but it is fraught with marketing-speak and not very forthcoming in outlining exactly how the different sub-systems overlap, e.g. though Virtualization-based Security may be turned off via Group Policy, some other mechanism(s) may be enforcing a similar policy etc..

My hope is that someone at MOTU (or anyone familiar with the issue) sees this and can provide a solution.

Sorry for the length but this info may be relevant to others.

Thanks,
Russ Letson

[mikehalloran]

My hope is that someone at MOTU (or anyone familiar with the issue) sees this and can provide a solution

Hi,

Though that might be possible, this is a Users' board not affiliated with MOTU.

You can submit a Tech Link/Support ticket over at MOTU. If you have not registered your M2 yet, create a User Account and do so.

Please let us know what they say.

[CharlzS]

Is Core Isolation Memory Integrity in security settings turned on? Search Memory Integrity in Settings. If so, turn it off. Uninstall the M2 in the Device Manager --> Sound Video and Game Controllers. Right click the M2, uninstall and check the uninstall drivers option. If you don't see an M2 then menu View --> Hidden Devices. If the drivers still show up in Programs and Features, uninstall them there also. Reinstall the drivers. Just something to try.

[russ6100]

Thanks for the replies.

From my post above:

"I've tried to reach out to MOTU (as I've done successfully in the past via phone and Support Ticket), however, their web form for the Support Ticket malfunctioned and their tech line now directs you to their support portal on the web."

Core Isolation - I've had that turned off for about a week.

I also have already uninstalled the drivers via Device Manager - Show Hidden Devices.

Reinstalling only results in this error (also in my post above):

"Unable to execute the temporary directory. Setup aborted. Error 4551: Your organization used Device Guard to block this app. Contact your support person for more info."

Since my OP, I've done more sleuthing, homing in on this:
`C:\Windows\System32\CodeIntegrity\Driversipolicy.p7b`

Though the file is not meant to be human-readable, with a hex editor I can see that it contains a lists of driver files.

Looking into this further, it appears that I might be able extract the certificate from the MOTU driver and store it in Local Machine - Trusted Publishers, essentially white-listing the driver.

[russ6100]

A month later and I'm finally up and running.

What I did to make it happen:

1. Turned off Smart App Control. Apps would finally install without issue.

2. Matt from MOTU responded to my support ticket. I was getting a scripting error during product activation of Performer Lite 11. He recommended installing the current Windows C++ Redistributables. Problem solved.

3. I was still unable to use a voice chat app and Audacity. Turns out that Windows had revoked mic permissions that I had explicitly granted earlier - Easy fix.

BTW - Matt at MOTU had responded to my support ticket by making a video of him reviewing and addresses my notes. Who does that? I was blown away by how deep he was willing to go and how much effort he put into diagnosing the problem.

[CharlzS]

Surprising that the MOTU drivers don't get by the Smart App Control. Are they blacklisted or unsigned? Never had an issue installing MOTU drivers here because apparently Smart App Control is only enabled by default on clean Win11 installs. Updated both machines from Win10. I also had issues in the past with the C++ redistributables but I don't think any MOTU stuff was involved. Though memory is a little weak on that, it was definitely audio/plugin related. Glad you're up and running.

[mikehalloran]

BTW - Matt at MOTU had responded to my support ticket by making a video of him reviewing and addresses my notes. Who does that? I was blown away by how deep he was willing to go and how much effort he put into diagnosing the problem.

He has been a big help to me, too.