Smart App Control State remain False

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md

MIT License

1.72k stars 134 forks source link

Tools category

Harden Windows Security Module

Does Your System Meet The Requirements?

[X] Yes, I acknowledge that I've read the requirements and my system meets them. 👍

Is your Windows Installation Genuine?

[X] Yes, I acknowledge that the installation media of the Windows OS I used the tool on was downloaded from the official Microsoft website and I didn't tamper or modify it. 💯

Did You Read The Frequently Asked Questions?

[X] Yes, I've referred to the FAQs and my issue is not covered/explained in there.

Please Explain The Bug

On a clean Windows 23H2 installation, I run the script on either VMWare Workstation Pro or in Hyper-V and I get the warnings: WARNING: The parameter OobeEnableRtpAndSigUpdate is not available yet, restart the OS one more time after updating and try again. and so on, because Smart App Control State is not turned ON yet, but even after trying this myself and clearly seeing the state is ON, these warnings keep appearing, sometimes after several reboots I somehow get it to work, but I cannot say when and how. Is there some issue with Smart App Control on a virtual machine? Is this expected, or can it be fixed?

Error Details

No response

When you change the status of Smart App Control, you need to reboot once before its status is populated properly and the Confirm-SystemCompliance detects it. Smart App Control uses a signed WDAC policy, they need a reboot before their anti-tampering functionality is activated through Secure Boot.
There is no issue with Smart App Control on virtual machines, I use it myself in VMs.
OobeEnableRtpAndSigUpdate is a parameter of Microsoft Defender for something else that's explained in the readme page in the Microsoft Defender category.
The warning messages mean you just installed the OS, either didn't install the latest updates or installed them but didn't give the OS enough time to prepare the Defender module. So basically Get-MpPreference does not have the parameters displayed in the warning messages yet. (You will see that too when you use that cmdlet)

My suggestion is giving the OS enough time to prepare itself after just installing and fully updating it, then reboot once or twice.

For comparison, if you run it on Azure VMs they don't need this extra wait time as they are fully updated already.

P.S the next version of Windows 11, 24H2, has all of these new Defender features by default from the beginning in the group policies so it won't need the Get-MpPreference cmdlet to activate those features.

So you see there isn't much I can do other than communicating the message to the user, at least for now. Hope that helps.

HotCakeX / Harden-Windows-Security