[German]We was told, that Software Restriction Policies and SAFER no longer work out-of-the-box under Windows 11 22H2. This is caused by registry entries left in the ISO images, that make Windows 11 think that AppLocker is active (although it itsn't). This can be fixed with a small registry hack. Here is a short overview about the topic including the hack to continue using SAFER.
Software Restriction Policies (SRP)
Under Windows, there are the so-called Software Restriction Policies (SRP), which can be used to define which programs are allowed to run (whitelisting) or not run (blacklisting) under Windows. Administrators can use policies in Windows to specify which software is allowed to run in the operating system. The Software Restriction Policies are already available since Windows Server 2003 and are currently (according to this Microsoft page) still available under the following server variants:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
In addition, Software Restriction Policies are supported in Windows clients (Windows 7, Windows 8.1, Windows 10, Windows 11 21H1). However, the fact is that Microsoft has already discontinued Software Restriction Policies (SRP) in June 2020 (see my blog post Windows 10 Version 2004: Deprecated/removed features). In the blog post Windows 11 22H2 no longer supports Software Restriction Policies (SRP), I had pointed out that Software Restriction Policies (SRP) would no longer be supported.
SAFER: Poor man's SRP
Group Policies are only available for the Pro and Enterprise versions of Windows – and since Microsoft neutered the Group Policy options in Windows 10 Pro, you basically have to rely on Windows Enterprise editions. However, one can also set these software restrictions through registry entries.
Therefore, Stefan Kanthak propagated SAFER to harden the systems of users under Windows (e.g. also Home) against ransomware and other malware. Via an .inf file, the required software restrictions are simply set in the registry. Stefan Kanthak provides the required information including installation INF on his website Stop Malware with Software Restriction Policies alias SAFER. Christoph Schneegans propagated SAVER with a German description on this website for protection against malware (also ransomware). However, Christop Schneegans' website now states:
As of Windows 11 22H2, SAFER no longer works. An alternative is Windows Defender Application Control (WDAC), which works in all versions of Windows 10 and 11.
Looks – together with my comments in the article Windows 11 22H2 no longer supports Software Restriction Policies (SRP) like a goodbye?
Windows 11: SAFER/SRP still works
Stefan Kanthak has now contacted me by mail to point out that Software Restriction Policies and also SAFER can still be used under Windows 11 22H2. He wrote about this:
The cause of the behavior observed by Will Dormann is the usual sloppiness in Redmond: They ship Windows 11 with registry entries "thanks to" which it thinks AppLocker is active – which (as documented) overrides or disables SAFER.
I had documented the mentioned behavior observed by Will Dormann in the post Windows 11 22H2 no longer supports Software Restriction Policies (SRP) via the following tweet.
Kanthak had already left this German comment there, pointing to the causal registry entries that trigger the mess. Stefan Kanthak mentions a simple workaround in his mail, which he already documented on seclists.org in February 2023 (see also), to get this behavior back on track and to be able to use SAFER and the Software Restriction Policies under Windows 11 22H2 again:
After deleting the registry entries:
SAFER / SRP works as usual again. Kanthak notes that the timestamp is 100ns after 1/1/1601, so is grossly wrong, and that the rule count 2 (at RuleCount) is also wrong!
Kanthak has therefore adapted his NTX_SAFER.INF file to make these fixes automatically. Perhaps for your one or other blog reader, who also failed with the Software Restriction Policies under Windows 11 22H2, of interest.
Cookies helps to fund this blog: Cookie settings