[German]A brief note to Windows administrators who still rely on Software Restriction Policies (SRP). This security feature has been deprecated since 2020, but is still supported in Windows 10. But Windows 11 version 22H2 will definitely put an end to the use of Software Restriction Policies – App-Locker should be used instead.
Software Restriction Policies (SRP) deprecated
Software Restriction Policies (SRP) are a mechanism, with which administrators in Windows could specify over guidelines, which software may be executed in the operating system. The Software Restriction Policies are already available since Windows Server 2003 and are currently (according to this Microsoft page) still available under the following server variants:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
In addition, software restriction policies are supported in Windows clients (Windows 7, Windows 8.1, Windows 10, Windows 11 21H1). I still read (also within my German blog in user comments) some recommendations to use software restriction policies to harden the system.
However, Microsoft had already discontinued the Software Restriction Policies (SRP) in June 2020 (see my blog post Windows 10 Version 2004: Deprecated/removed features). Microsoft already wrote about Windows 10 version 1803:
Software Restriction Policies in Group Policy: Instead of using the Software Restriction Policies through Group Policy, you can use AppLocker or Windows Defender Application Control to control which apps users can access and what code can run in the kernel.
The Microsoft article Deprecated features for Windows client, which was last updated on November 2, 2022, also lists the Software Restriction Policies as deprecated. Until now, however, Software Restriction Policies (SRP) were still supported in Windows 10 as well as Windows 11 version 21H1. But with the discontinuation, administrators should have long been warned that this security feature will eventually fail.
SRP in Windows 11 22H2 without function
I just came across this on Twitter via the following Tweet from Will Dormann that Microsoft now has removed Software Restriction Policies (SRP).
Addendum: After I published the German edition of this blog post first, I've got a discussion "Fake news, Software Restriction Policies (SRP) works as expected" within this blog. Especially my ex MVP colleague Mark Heitbrink commented, that his Win 11 22H2 system uses SRP as know before. Then I asked Will Dormann for details and he answered on Twitter:
Will Dormann has one machine, where SRP works, on all other systems SRP fails to block applications. I mentioned this behavior within my German blog post, and know I got two other independent confirmations. German blog reader Johannes commented here:
I ran across the same problem in mid-October and was able to figure out that SRP on Win11 22H2 Pro did not work for me: see the forum entry (German) Richtlinien für Softwareeinschränkungen werden nicht angewendet.
After I contacted Mark Heitbrink again, he did run another test case and came back with the following German comment:
New installation, standard ISO, no volume CD, installation Professional Edition in Workgroup and in AD. SRP policies "All files, All users and certificates", set of rules: %userprofile%\*.exe, %userprofile%\*\*.exe = not allowed. both in AD and LGPO.
Shock: files are NOT blocked.
My first look was at my existing installation which was updated to 22H2. There SRP is still active.
So after all, the observation, Will Dorman has mentioned on Twitter, has been confirmed from more users. German blog reader David Xanatos suspected, that it has something to do with Smart App Control. He told me, that Smart App Control internally exactly seems to be realized via SRP – at least if that feature is not switched off, all processes access "\Device\SrpDevice". David did a test in a fresh Windows 11 22H2 VM and wrote:
I tested this in a virgin VM, and when SAC is on it is not possible to run anything unsigned, not even self-signed. Even if you import the used certificate into the corresponding trusted root cert lists, SAC gets in the way.
Might be an explanation for the behavior observed by several Windows 11 22H2 users.
Will Dormann writes that the list of Windows security/defense measures that seem to do nothing is now quite long. A new addition is the Software Restriction Policies (SRP), which don't seem to do anything as of Windows 11 22H2. He concludes by saying, "Hopefully no one relies on this feature!". I assume that the blog readers has long been aware and has said goodbye to Software Restriction Policies. If not, keep this trap in mind when using Windows 11. Let's see when the feature is removed from Windows 10.
Cookies helps to fund this blog: Cookie settings
this is because of the novel approach? It was not widely publicated but starting with Windows 11 22H2 it will create a baseline on fresh installations and detect malicious apps instead of legacy Software Restriction Policies through GPOs (which always very quiet unflexible and performance intense (imho). Therefore, some companies adopted other solutions like Citrix WEM.
Have heard the news about this new feature mentioned above at Linkedin.
I will double check the situation before this is spreading as a false information or rumour. so take my notes with a pinch of salt until then.
Do they start working again if you turn SAC off? I have the same problem. upgrading from 21h2 everything fine, but when I needed to re-install (kept personal files) my shock that none work anymore.