Depreciated Windows 11 22H2 no longer supports Software Restriction Policies (SRP)

Gandalf_The_Grey

Level 66
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
5,568
A brief note to Windows administrators who still rely on Software Restriction Policies (SRP). This security feature has been deprecated since 2020, but is still supported in Windows 10. But Windows 11 version 22H2 will definitely put an end to the use of Software Restriction Policies – App-Locker should be used instead.

Software Restriction Policies (SRP) deprecated

Software Restriction Policies (SRP) are a mechanism, with which administrators in Windows could specify over guidelines, which software may be executed in the operating system. The Software Restriction Policies are already available since Windows Server 2003 and are currently (according to this Microsoft page) still available under the following server variants:
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
In addition, software restriction policies are supported in Windows clients (Windows 7, Windows 8.1, Windows 10, Windows 11 21H1). I still read (also within my German blog in user comments) some recommendations to use software restriction policies to harden the system.

However, Microsoft had already discontinued the Software Restriction Policies (SRP) in June 2020 (see my blog post Windows 10 Version 2004: Deprecated/removed features). Microsoft already wrote about Windows 10 version 1803:

Software Restriction Policies in Group Policy: Instead of using the Software Restriction Policies through Group Policy, you can use AppLocker or Windows Defender Application Control to control which apps users can access and what code can run in the kernel.

The Microsoft article Deprecated features for Windows client, which was last updated on November 2, 2022, also lists the Software Restriction Policies as deprecated. Until now, however, Software Restriction Policies (SRP) were still supported in Windows 10 as well as Windows 11 version 21H1. But with the discontinuation, administrators should have long been warned that this security feature will eventually fail.

SRP in Windows 11 22H2 without function

I just came across this on Twitter via the following Tweet from Will Dormann that Microsoft now has removed Software Restriction Policies (SRP).

Will Dormann writes that the list of Windows security/defense measures that seem to do nothing is now quite long. A new addition is the Software Restriction Policies (SRP), which don't seem to do anything as of Windows 11 22H2. He concludes by saying, "Hopefully no one relies on this feature!". I assume that the blog readers has long been aware and has said goodbye to Software Restriction Policies. If not, keep this trap in mind when using Windows 11. Let's see when the feature is removed from Windows 10.
 

Andrezj

Level 6
Nov 21, 2022
275
the reports of srp not function on clean install win11 22h2 and odd behavior on upgraded to win11 OS are accurate, yet born's tech states and draws conclusions not confirmed by microsoft
born say srp was removed win 10 build 1803, not true as group policy controls were not removed, microsoft official documents list srp support for server 2022 back to 2003, then workstation from 11 all the way back to 7
the page they reference only says further development is stopped

microsoft has not discontinued srp on windows 11, it is a bug connected to clean installs of windows 11 and sac, microsoft is aware of it
this bug was reported many times during the insider build tests

microsoft official documentation for srp on windows 11 is listed as supporting srp, just think about it, millions of domain controllers, jump servers, radius servers, kerberos servers, servers of all kinds, all connected device members of a domain with the domain controller distributing srp through group policy or using other microsoft distribution methods like microsoft endpoint configuration manager or intune or using non-microsoft software policy distribution software (there are many)

microsoft is going to tell them all "sorry about your luck but srp gone on windows 11 22h2, downgrade to 21h1 or windows 10"? , watch an enterprise uprising and revolt against microsoft
a move from srp to applocker or wdac at the enterprise scale can cost in the many millions, not to mention all the editions of windows workstations and servers still being used that do not support applocker or wdac

published 12/09/2022 still lists support srp on windows 11

we will see

here is the official page where microsoft lists removed features for win10 and win11 workstation
srp is not listed

 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top