Closed ghost closed 1 year ago
AndyFul
commented
2 years ago SRP does not work on the current builds of Windows 11 22H2 (Windows Insider). I reported this issue to Microsoft - it can be related to the introduction of Smart App Control in Windows 11.
ghost
commented
2 years ago SRP does not work on the current builds of Windows 11 22H2 (Windows Insider). I reported this issue to Microsoft - it can be related to the introduction of Smart App Control in Windows 11.
SAC is essentially a WDAC user mode policy so it should not have anything to do with SRP, that's weird.
I got it to work after a few tries of repeating the same process.
AndyFul
commented
2 years ago SAC uses MDAC (WDAC) policy files, but with some additional features that are undocumented so far. For example, you cannot add multiple policies to modify the rules contained in the SAC base policy. Furthermore, SAC works differently from the option "Intelligent Security Graph Authorization" in MDAC. SAC is differently integrated with SmartScreen for Explorer. A similar issue is with a Child account. After activating security options on the Child account, SRP stops working and the issue persists even after removing this account (although I did not test it for a year, so this could change).
ghost
commented
2 years ago How come I managed to get SRP to work on 22H2 by repeatedly creating and deleting my own SRP in Group Policy, then re-installing SRP in H_C? I don't think it's completely incompatible, just that there's something interfering with it working the first time.
AndyFul
commented
2 years ago It is possible. But still, there are two serious problems at least:
ghost
commented
2 years ago Yeah, I know. Someone needs to get in touch with Weston and ask him about the future of SRP and if anything will replace it.
derStephan
commented
1 year ago Maybe this helps: https://seclists.org/fulldisclosure/2023/Feb/13
If this is the case, then deleting these registry entries during install may be the solution.
AndyFul
commented
1 year ago Hi,
Thanks for the link. There is a thread about this on MalwareTips forum. The Kanthak solution works only when SAC is OFF (but he correctly found the source of the problem). I managed to improve this solution: https://malwaretips.com/threads/windows-11-22h2-no-longer-supports-software-restriction-policies-srp.118472/post-1026368
derStephan
commented
1 year ago Is it possible to set these registry fixed upon install/upgrade?
AndyFul
commented
1 year ago It can survive Windows Updates and upgrade from Windows 10. Other possibilities were not tested so far.
Very easy to reproduce this one. Clean install 22H2 (specifically build 22621.xxx), install Hard_Configurator, try to apply SRP, relog/restart and you'll notice that it doesn't actually work. Easy way to find out is to block a sponsor and try to execute said sponsor.
This can be fixed if you apply SRP through group policy, delete the group policy SRP and then re-install SRP in Hard_Configurator, but it doesn't always work.
This started happening as of update 6.0.1.1. A fix would be appreciated.