Windows 11 22H2 no longer supports Software Restriction Policies (SRP)

[Andy Ful]

I am also curious. I thought changing environment variables normally requires admin rights (when @Andy Ful is taling about __PSLockDownPolicy)

I cannot post anything about this bypass on MT, but it is well-known to professional administrators (and hackers).
The __PSLockDownPolicy should not be applied in Enterprises. It is efficient at home because the attackers do not expect it and do not bother to check it.

 

[ForgottenSeer 98186]

I am also curious. I thought changing environment variables normally requires admin rights (when @Andy Ful is taling about __PSLockDownPolicy)

It is public infos. If interested, send me a PM and I will provide you multiple links to researchers, pentest and GItHub sources. Some of it is tedious, long reading. Well worth it if you want the knowledge.

A 10 second Google search using the correct keywords will return a bunch of links.

 

[Andy Ful]

I asked ChatGPT (via Bing): "Can Software Restriction Policies work on Windows 11?"
Here is the answer:

The suggested 5 links are generally about SRP. Only one of them suggests the solution (link to this thread on MT).

 

[ForgottenSeer 97327]

Okay, there is a downside on keeping your system hardening on 2019 level: @Oerlink and @Andy Ful I found the bypass on infosec, it is to simple for words

 

[Andy Ful]

I tested the SRP with my correction:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp]
"RuleCount"=dword:00000000

In the test, the SAC was (re)set several times between all available modes ON, OFF, and Evaluation. This can be done by using the registry tweaks (Windows restart is required):

1. ON mode:
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy]
   "VerifiedAndReputablePolicyState"=dword:00000001
2. OFF mode:
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy]
   "VerifiedAndReputablePolicyState"=dword:00000000
3. Evaluation mode:
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy]
   "VerifiedAndReputablePolicyState"=dword:00000002

In all instances, both SRP and SAC worked as intended.

 

[bazang]

Bitdefender Free is one of the best options to install on uninclined, uninitiated, ignorant computer user systems combined with any free SRP blocking program.

I place BF + SRP onto prolific downloader systems and then change their accounts to Guest accounts.

When the user(s) contact me (except for business) to complain something was blocked - I never respond. Ever. I just never reply or respond because I don't have time to deal with all the prolific downloaders and fixing all the problems that they create. Maybe once per year or once every other year. Rarely do I find that BF or SRP have blocked anything legitimate. SRP is set to block executions in User Space. Guest Account, along with setting Window installs from Microsoft Store only, solves 99.9% of problems.

Childrens are very angry with this configuration. Old people are too old to complain. Businesses are happy they are not infected and do not lose productivity. And the unicorns with their rainbows roam freely in the world.

 

[badboy]

I place BF + SRP onto prolific downloader systems and then change their accounts to Guest accounts.

Which free SRP soft with GUI you can advise?

 

[pxxb1]

Which free SRP soft with GUI you can advise?

SRP has been discontinued in W11 from 22H2 and up.

 

[badboy]

SRP has been discontinued in W11 from 22H2 and up.

Even in Pro-versions? And why? So, how we can harden Windows 11 with BitDefender Free if we haven't SRP?

 

[pxxb1]

Even in Pro-versions? And why? So, how we can harden Windows 11 with BitDefender Free if we haven't SRP?

Search on the net for Applocker and WDAC.

Maybe some program by Andy Ful has something in it. His programs have several threads here.

 

[bazang]

Which free SRP soft with GUI you can advise?

Hard_Configurator

SRP has been discontinued in W11 from 22H2 and up.

No. It has not been discontinued.

SRP = version 1
AppLocker = version 2
WDAC = version 3

SRP still works on Windows 11 24H2. It has never changed. Microsoft made a mistake with a single build release that broke SRP but then it fixed it due to industry outcry.

 

[pxxb1]

Hard_Configurator


No. It has not been discontinued.

SRP = version 1
AppLocker = version 2
WDAC = version 3

SRP still works on Windows 11 24H2. It has never changed. Microsoft made a mistake with a single build release that broke SRP but then it fixed it due to industry outcry.

Yes it is: Windows 11 22H2 no longer supports Software Restriction Policies (SRP)

But one can still activate and use it with a registry tweak. Which seems as a no good idea since SRP will not be updated or maintained. The reason for Andy Ful:s WHHLight was because of this. H_C nowadays is for W10 where SRP is still active.

 

[bazang]

Yes it is: Windows 11 22H2 no longer supports Software Restriction Policies (SRP)

But one can still activate and use it with a registry tweak. Which seems as a no good idea since SRP will not be updated or maintained. The reason for Andy Ful:s WHHLight was because of this. H_C nowadays is for W10 where SRP is still active.

Nope.

SRP is still fully functional on Windows 11 24H2. Microsoft has to maintain SRP because so many enterprises and organizations still use it.

"Deprecated" in Microsoft parlance only means at some point in the future it might be removed. It will be years before SRP is killed-off by Microsoft.

Hard_Configurator works fine on Windows 11 24H2 and it will continue to do so. Most of Windows security is managed via registry keys, so Microsoft leaving the ability to set a registry key to enable SRP is fully consistent with Microsoft's security practices on Windows.

 

[Andy Ful]

Yes it is: Windows 11 22H2 no longer supports Software Restriction Policies (SRP)

But one can still activate and use it with a registry tweak. Which seems as a no good idea since SRP will not be updated or maintained. The reason for Andy Ful:s WHHLight was because of this. H_C nowadays is for W10 where SRP is still active.

@bazang is right. Microsoft deprecated SRP seven years ago = SRP is not actively developed, or updated. However, it is fully functional on Windows 10 and 11, except that users cannot apply AppLocker rules, at the same time on the same computer with installed Windows 11. Both SRP and AppLocker rules can be used together but on different computers (client-server solutions). SRP and AppLocker share some Windows APIs so Microsoft does not remove SRP but disables it by default to avoid possible conflicts with AppLocker. On Windows 10, AppLocker is disabled by default (can be enabled). On Windows 11, AppLocker is enabled by default on fresh installations (can be disabled, or deactivated = no rules). If one upgrades Windows 10 to Windows 11, AppLocker is disabled/enabled if it was disabled/enabled before the upgrade.

WHHLight uses SRP to apply some SWH settings that are very useful and cannot be replicated by WDAC.
Microsoft could have removed SRP in Windows 11, but it did not. Until Microsoft supports AppLocker, SRP will work (SRP or AppLocker based solutions are popular in Enterprises). Microsoft will probably rebuild the security significantly in Windows 12 and remove SRP.

Post edited.

 

[Victor M]

So, how we can harden Windows 11 with BitDefender Free if we haven't SRP?

Even though Andy says it is not exactly equivalent, you can use WDAC to build allow or deny rules.

 

[Andy Ful]

Yes it is: Windows 11 22H2 no longer supports Software Restriction Policies (SRP)

This article is outdated. Here is the updated article from the same website:

Software Restriction Policies (SAFER) still possible under Windows 11 22H2 …

[German]We was told, that Software Restriction Policies and SAFER no longer work out-of-the-box under Windows 11 22H2. This is caused by registry entries left in the ISO images, that make Windows 11…

borncity.com