Guide | How To Windows Home/Pro owner? Use Software Restriction Policies!

[Andy Ful]

Have you tried to remove all files in "CiPolicies\Active" folder?

Yes.
It seems that also WDAC does not work after the SAC is turned off (from Evaluation or ON mode).
I removed all SAC policies from the "Active" folder (Trusted Installer privileges are required) and applied my own policy. The WDAC policy that works well on Windows 10, does not work at all on clean installed Windows 11 with 2020 update and SAC turned OFF.
The same WDAC policy and SRP work well on Windows 11 with 2020 update, when upgrading from Windows 10.

 

[oldschool]

Thanks for posting your SRP test results.

@Furyo Yes, I read the entire docs. But of course M$ doesn't document any changes, breakages, etc. to SRP in light of the introduction of SAC, other than adding it to the Deprecated list years ago. So now we have broken SRP, complex WAC and experimental SAC. I'll continue to use Defender along with the rest of the plebes.

 

[Kongo]

@Andy Ful

The one issue I'm having with Disallowed is when I open Windows Security I get this:
View attachment 269569
I'm unable to access Virus & threat detection, etc. in SU or Admin account and get no WS notifications. Any ideas?

I have the same issue but it's only temporary and I am only using SWH.

 

[Andy Ful]

So now we have broken SRP, complex WAC and experimental SAC.

We have now broken SRP and WDAC. For now, both do not work on clean installed Windows 11 with 2020 update. When SAC is On or set to Evaluate mode, one cannot replace SAC policies with custom WDAC policies. After turning OFF the SAC, WDAC does not work just like SRP (tested on Windows Pro).

 

[oldschool]

both do not work on clean installed Windows 11 with 2020 update.

You must mean the 2022 update.

 

[WhiteMouse]

Yes.
It seems that also WDAC does not work after the SAC is turned off (from Evaluation or ON mode).
I removed all SAC policies from the "Active" folder (Trusted Installer privileges are required) and applied my own policy. The WDAC policy that works well on Windows 10, does not work at all on clean installed Windows 11 with 2020 update and SAC turned OFF.
The same WDAC policy and SRP work well on Windows 11 with 2020 update, when upgrading from Windows 10.

Do you use .cip or .bin with Group Policy? When I used .bin with GPO, it didn't work but then I switched to .cip and just copied that file to \Active and it works properly.

 

[Andy Ful]

Do you use .cip or .bin with Group Policy? When I used .bin with GPO, it didn't work but then I switched to .cip and just copied that file to \Active and it works properly.

I use .cip policy in \Active directory.

Do you use a clean installation of Windows 11 with the latest update and SAC set to Evaluate or OFF?

If SAC is ON then it runs on WDAC, but you cannot change the policies. If I correctly recall, even if you will use your own WDAC policy file - the SAC policies in EFI should override your WDAC policies.

 

[WhiteMouse]

I use .cip policy in \Active directory.

Do you use a clean installation of Windows 11 with the latest update and SAC set to Evaluate or OFF?

If SAC is ON then it runs on WDAC, but you cannot change the policies. If I correctly recall, even if you will use your own WDAC policy file - the SAC policies in EFI should override your WDAC policies.

Yes, I use a clean installation of Windows 11, SAC is Evaluation -> Off.
I haven't tested this (will do it later), but if SAC is on and you put another base policy inside that folder, both can co-exist. A file must be allowed by both policy to be able to run. That's how multiple WDAC policies work.

 

[Andy Ful]

Yes, I use a clean installation of Windows 11, SAC is Evaluation -> Off.
I haven't tested this (will do it later), but if SAC is on and you put another base policy inside that folder, both can co-exist. A file must be allowed by both policy to be able to run. That's how multiple WDAC policies work.

If I correctly recall, in my tests this did not work. Adding custom multiple policies did not change anything.
Of course, that worked on Windows 10.

 

[oldschool]

If I correctly recall, even if you will use your own WDAC policy file - the SAC policies in EFI should override your WDAC policies.

I read the same thing.

 

[WhiteMouse]

If I correctly recall, in my tests this did not work. Adding custom multiple policies did not change anything.
Of course, that worked on Windows 10.

It works on my computer. The funny thing is IVPN blocked by my custom policy, but Windows thought it blocked by SAC. After I removed my custom policy, IVPN launched with no issues.

 

[ForgottenSeer 95367]

But of course M$ doesn't document any changes, breakages, etc. to SRP in light of the introduction of SAC

Microsoft could have broken it deliberately or even not even know that it broke it. With these builds it is hard to know. A quick look online about 22H2 and it is evident that it is a troublesome release with multiple problems.

The Big M is keenly aware that if it tampers with legacy, those that use legacy will be alienated from adopting W11. WDAC remains in a wonky state of usability and functionality, and is not close to being a proper replacement for SRP. Far too many organizations use the legacy SRP for M$ to abruptly cast SRP down the disposal pipe.

 

[ForgottenSeer 95367]

It works on my computer. The funny thing is IVPN blocked by my custom policy, but Windows thought it blocked by SAC. After I removed my custom policy, IVPN launched with no issues.

It would be nice if you translated what the notification says. The only other person here at MT that can read it is @show-Zi.

 

[Andy Ful]

It works on my computer. The funny thing is IVPN blocked by my custom policy, but Windows thought it blocked by SAC. After I removed my custom policy, IVPN launched with no issues.

Interesting. Could you post here the XML file of your custom policy?
Do you use Windows Home or Pro?
I assume that you use a clean installation of Windows 11 with the 2022 update and SAC is turned ON.
From your post, it follows that your .cip policy is in the \Active folder together with 6 policy files of SAC.

 

[WhiteMouse]

Interesting. Could you post here the XML file of your custom policy?
Do you use Windows Home or Pro?
I assume that you use a clean installation of Windows 11 with the 2022 update and SAC is turned ON.
From your post, it follows that your .cip policy is in the \Active folder together with 6 policy files of SAC.

I use Windows 11 Education, converted WindowsDefault_Enforced.xml to .cip and my answer is yes for everything below the second question.

 

[Andy Ful]

I use Windows 11 Education, converted WindowsDefault_Enforced.xml to .cip and my answer is yes for everything below the second question.

After some experiments, I managed to spoil the SAC protection. Windows Security Center shows that SAC is ON, but I can run anything I want. The files are checked by SAC and violate code integrity, but SAC does not block them. It thinks that policies are in auditing mode. I deleted all SAC policies and applied my custom policy very similar to the base policy of SAC, but with a different GUID.

To skirt around SAC, the Trusted Installer privileges are required. The binary policy file was not configured to audit mode and normally blocks executables.
A similar effect can be forced by removing SAC policies (no WDAC/SAC policies at all). In this case, Event Log does not log CodeIntegrity events.

 

[WhiteMouse]

I didn't trust the On/Off button in Windows Security. I had a file that's guarantee blocked by SAC to test it and confirmed SAC was On before applied DefaultWindows_Enforced.

And did you restart the computer after turned SAC on btw?

 

[ForgottenSeer 95367]

After some experiments, I managed to spoil the SAC protection. Windows Security Center shows that SAC is ON, but I can run anything I want. The files are checked by SAC and violate code integrity, but SAC does not block them. It thinks that policies are in auditing mode. I deleted all SAC policies and applied my custom policy very similar to the base policy of SAC, but with a different GUID.

View attachment 269633

View attachment 269634

To skirt around SAC, the Trusted Installer privileges are required. The binary policy file was not configured to audit mode and normally blocks executables.
A similar effect can be forced by removing SAC policies (no WDAC/SAC policies at all). In this case, Event Log does not log CodeIntegrity events.

@Andy Ful doing the testing that Microsoft should be doing itself.

 

[Andy Ful]

Today I have repeated my tests (Windows 11 Home ver 22H2 Insider OS build 25201.1000):

1. Turn Off the Internet connection.
2. Start from the snapshot SAC ON.
3. Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged (Id=3033 and 3077). Event Log also logs that the 4 policies were refreshed and activated (Id=3099). One of these policies is {d2bda982-...}.cip (Windows Driver Policy) which is absent in the "\Active" directory.
4. Rename all policies in the "\Active" directory (reboot).
5. Run suspicious application = allowed. Check Event Log, events not logged (reboot).
6. Restore the names of original policies in the "\Active" directory (reboot).
7. Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged.

So it is possible to enable/disable SAC without turning it OFF in the Security Center. I tested this with a disabled Internet connection. So some more tests are required.
I do not recommend this method on the real system, because it is not documented by anyone.

Post updated.
When making a backup and restoring the policies (by copying them from the backup) the file permissions can be changed (lowered), so one has to do it by preserving NTFS file permissions. It is easier to rename the policies without removing them. In my test, I added the "B" letter at the front of the policy name.

 

[ForgottenSeer 95367]

Today I have repeated my tests (Windows 11 Home ver 22H2 Insider OS build 25201.1000):

1. Turn Off the Internet connection.
2. Start from the snapshot SAC ON.
3. Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged (Id=3033 and 3077). Event Log also logs that the 4 policies were refreshed and activated (Id=3099). One of these policies is {d2bda982-...}.cip (Windows Driver Policy) which is absent in the "\Active" directory.
4. Rename all policies in the "\Active" directory (reboot).
5. Run suspicious application = allowed. Check Event Log, events not logged (reboot).
6. Restore the names of original policies in the "\Active" directory (reboot).
7. Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged.

So it is possible to enable/disable SAC without turning it OFF in the Security Center. I tested this with a disabled Internet connection. So some more tests are required.
I do not recommend this method on the real system, because it is not documented by anyone.

Post updated.
When making a backup and restoring the policies (by copying them from the backup) the file permissions can be changed (lowered), so one has to do it by preserving NTFS file permissions. It is easier to rename the policies without removing them. In my test, I added the "B" letter at the front of the policy name.

Put in "\Active" directory both:
1. Original.cip
2. Re-named.cip