SRP with additional rules - how to temporarily turn off on local Win10?

softie15

Level 2
Thread author
Verified
Oct 18, 2017
50
I have a very secure Windows 10 setup where I use SRP (software restriction policies) with a lot of additional rules (that @Andy Ful helped me setup, e.g. see this thread), some disallowing programs and other disallowed paths.

It's been a long while since I set this up, and I've run into some issues with upgrading the Win 10 box. I recalled that I should sometimes turn off SRP policies before applying major Windows upgrades.

So, I went to temporarily turn off SRP and found one step is very easy: set Seciurity Levels -> Unrestricted as default (later reset to Disallowed)

However, do I also need to switch all of my Disallowed *additional rules* to Unrestricted?

I tried to select a bunch of them in gpedit.msc but there does not appear to be an option to switch all selected ones from Disallowed to Unrestricted (or back).

So, is my best bet to manually do this, one rule at a time?

Thank you!
 

softie15

Level 2
Thread author
Verified
Oct 18, 2017
50

Doh! I was hoping I am missing a simpler option or that "Unrestricted " default security level would render all the additional rules Unrestricted too.

I suppose another option might be to write a pair of scripts to do this work (one to unrestrict and another to disable)? Do you happen to know what such a script may look like for say *script.exe and "C:\Windows\abc def" paths and I can fill the rest?

I realize I'd have to manually enable running cmd or powershell first before running it from disabled mode.

Thank you again!
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
There is a possibility to import GPO settings by using XML file.
But, this cannot be done on Windows Pro with default templates.

It is possible to use Powershell, but after installing RSAT tools:

It is also possible to make manually the changes via gpedit.msc and use LGPO tool to make a backup of GPO settings. These settings can be restored (when needed) by using LGPO tool.

Anyway, all these possibilities are not easy. That is why I prefer Hard_Configurator.:giggle:
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Indeed, with Hard_Configurator it is one click to disable policies, and in fact, it doesn't even need to be done in order to upgrade Windows. Despite the fact that I have a relatively aggressive H_C policy in place, I successfully upgraded from 1809 to 1903 without turning off any security.
 

softie15

Level 2
Thread author
Verified
Oct 18, 2017
50
@Andy Ful , thank you very much. I can't use 3rd party software like HC unfortunately for this super secure setup. I really appreciate you listing the alternatives. lgpo.exe looked most promising to me at first until I realized I cannot do just the SRP policies backup. This means that if I backed up my settings before upgrade, and registry got changed by the software upgrade, I would lose those upgrades if I tried to restore them.

Oh well, I think I will have to manually disable/enable around 50 SRP rules one at a time for each major upgrade... :-(

Thank you very much for your thoughts!

@shmu26 , I wish I had the same experience. Instead, I lost ability to search for software (despite disabling Cortana, I had been able to use the magnifying glass search button before to search for installed software, but no longer), and there were a few other glitches after one of the upgrades (e.g. all Tiles came back even though I had disabled and removed them all, and some of my other settings got lost). The system is still usable for my purposes, and I don't want to reinstall it all. For now, I just plan to be more careful and disable SRPs before taking on major Windows upgrades.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top