Tutorial Windows Pro owner? Use Software Restriction Policies!

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
I use Windows 11 Education, converted WindowsDefault_Enforced.xml to .cip and my answer is yes for everything below the second question.

Finally, I found out the source of the different results. In my tests (a few months ago) I used the SmartAppControl template included in Windows\Schemas... This template looked like a full base policy, but in fact, it is not. Recently I closely analyzed the Microsoft documentation and found out that this template should be merged with another policy file included in:
$env:windir+"\CCM\DeviceGuard\MergedPolicy_ISG.xml"
The above policy file comes from paid software, so I used one of the default templates included in WDAC Wizard.
The SmartAppControl template must be edited - the option "Enabled:Conditional Windows Lockdown Policy" should be removed as Microsoft suggests.
After making the binary .cip file I deployed it in the \Active directory. But, the system did not start properly due to blocking some drivers. For testing, I whitelisted all drivers and finally, this WDAC policy worked well.
Anyway, this policy alone does not work like SAC - it works as any WDAC policy on Windows 10. When SAC policies are renamed (inactive, but SAC is ON), some executables are blocked by ISG, but are not blocked by SAC (tested on another snapshot). When SAC policies are active then the SAC allowlist overrides the WDAC ISG (that is good). Also, I did not manage to deploy working supplemental policies for SAC.

Conclusion.
For now, I cannot see the possibility to make SAC more usable. It is possible to use custom WDAC policies alongside SAC, but this cannot be used to whitelist something. The custom policies can only add more restrictions.

Post edited.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
It is possible to turn SAC Evaluate (if was previously turned OFF by the user) without refreshing Windows.
One has to use recovery CMD to load offline the System registry Hive and set to 2 the below keys:

...\CurrentControlSet001\Control\CI\Policy!VerifiedAndReputablePolicyState
...\CurrentControlSet001\Control\CI\Protected!VerifiedAndReputablePolicyStateMinValueSeen

The second key is protected against tampering, so one has to use a recovery environment to modify the registry offline.
The OFF setting is related to the value 0, and the ON setting to the value 1.

Edit.
This tip is only for advanced (and careful) users. :)
 
Last edited:
Top