Guide | How To Windows Home/Pro owner? Use Software Restriction Policies!

The associated guide may contain user-generated or external content.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
I use Windows 11 Education, converted WindowsDefault_Enforced.xml to .cip and my answer is yes for everything below the second question.

Finally, I found out the source of the different results. In my tests (a few months ago) I used the SmartAppControl template included in Windows\Schemas... This template looked like a full base policy, but in fact, it is not. Recently I closely analyzed the Microsoft documentation and found out that this template should be merged with another policy file included in:
$env:windir+"\CCM\DeviceGuard\MergedPolicy_ISG.xml"
The above policy file comes from paid software, so I used one of the default templates included in WDAC Wizard.
The SmartAppControl template must be edited - the option "Enabled:Conditional Windows Lockdown Policy" should be removed as Microsoft suggests.
After making the binary .cip file I deployed it in the \Active directory. But, the system did not start properly due to blocking some drivers. For testing, I whitelisted all drivers and finally, this WDAC policy worked well.
Anyway, this policy alone does not work like SAC - it works as any WDAC policy on Windows 10. When SAC policies are renamed (inactive, but SAC is ON), some executables are blocked by ISG, but are not blocked by SAC (tested on another snapshot). When SAC policies are active then the SAC allowlist overrides the WDAC ISG (that is good). Also, I did not manage to deploy working supplemental policies for SAC.

Conclusion.
For now, I cannot see the possibility to make SAC more usable. It is possible to use custom WDAC policies alongside SAC, but this cannot be used to whitelist something. The custom policies can only add more restrictions.

Post edited.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
It is possible to turn SAC Evaluate (if was previously turned OFF by the user) without refreshing Windows.
One has to use recovery CMD to load offline the System registry Hive and set to 2 the below keys:

...\CurrentControlSet001\Control\CI\Policy!VerifiedAndReputablePolicyState
...\CurrentControlSet001\Control\CI\Protected!VerifiedAndReputablePolicyStateMinValueSeen

The second key is protected against tampering, so one has to use a recovery environment to modify the registry offline.
The OFF setting is related to the value 0, and the ON setting to the value 1.

Edit.
This tip is only for advanced (and careful) users. :)
 
Last edited:

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
For those who use Windows 10/11 Home here's link!


I report it to Staff for rename that titles as from Pro owner to Home/Pro Owner
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
For those who use Windows 10/11 Home here's link!


I report it to Staff for rename that titles as from Pro owner to Home/Pro Owner

I am not sure if this video is related to Software Restriction Policies. :unsure:
The PolicyPlus brings some functionality of GPO to Windows Home, but without Software Restriction Policies.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top