none
GPO Editor "Enforce Certificate Rules" Grayed Out

    Question

  • I'm using Software Restriction Policies with white-listing.  Recently, the GPO option for "Enforce Certificate Rules" on the Enforcement dialog box is grayed out (User Configuration\Policies\Windows Settings\Software Restriction Policies).  The settings report shows that enforcement is set to "Ignore Certificate Rules".  I've used the enforce option in the past and only noticed problems when "Unrestricted" certificate rules recently stopped working.  I've found that this option is grayed out in all other GPO's including new ones I create.  It also doesn't matter which DC or workstation with RSAT I use.  This makes me think that there is some domain-wide setting causing this.  There are a few instances of this mentioned in forums, but no solutions.

    What could have happened and how do I now re-enable certificate rules?

    Friday, February 12, 2016 4:27 PM

All replies

  • You need to apply "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies" to all computer first:

    https://technet.microsoft.com/en-us/library/cc782660(v=ws.10).aspx

    Also, try to elaborate a bit on this which might be the cause " when "Unrestricted" certificate rules recently stopped working."

    Monday, February 15, 2016 2:56 AM
  • Under the Computer Configuration, I do have the "System Settings: Use Certificate Rules..."

    I also have the "Enforce certificate rules" setting enabled under the Computer Configuration:

    But the "Enforcement Properties" options under the User Configuration are still disabled:

    What I mean by "Unrestricted" certificate rules recently stopped working" is that users are blocked from running signed software when I have an unrestricted certificate rule using the certificate from the blocked EXE. 

    These rules have previously worked for months and, in the past week or two, some users complained that the EXE's were being blocked by group policy.  I checked the GPO and found that the certificate rules could no longer be enabled in the GUI.  The path rules (e.g. C:\Users) are working, but the exceptions from the supposedly higher precedence certificate rules are being ignored.  After comparing the certificates, the EXE's are signed with the exact same certificates as the certificate rules.  I've even removed and re-added the certificate rules using the extracted certificates from the blocked EXE's, but they are still blocked if they are in a restricted path.

    I've linked this GPO at the domain level and it should apply to all Authenticated Users:

    I would greatly appreciate any thoughts or comments on what might be wrong, and I can provide more information if needed.


    --Bill


    • Edited by bdaly Tuesday, February 16, 2016 9:20 PM
    Tuesday, February 16, 2016 9:08 PM
  • Hello,
     
    Thank you for your question.
     
    I have tested this in my local lab, the same behavior here. I am trying to involve someone familiar with this topic to further look at this issue.
     
    Thank you for your patience.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, February 17, 2016 9:34 AM
    Moderator
  • > Under the Computer Configuration, I do have the "System Settings: Use
    > Certificate Rules..."
    >
    > I also have the "Enforce certificate rules" setting enabled under the
    > Computer Configuration:
     
    Did you run "gpresult /h report.html" (or the gpmc Rsop report) and
    check if these settings arrive at your computers?
     
    Thursday, February 18, 2016 1:59 PM
  • Hi Bill,
     
    Could you please help to collect GPMC logging for further investigation?
     
    Please collect the logging referring to the following article (you can share it via OneDrive and then post the link here):
     
    https://technet.microsoft.com/en-us/library/cc737379(v=ws.10).aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, March 14, 2016 1:45 AM
    Moderator
  • Hi Bill,
     
    Hope you are doing good. How is it going?
     
    If you are still blocked by this, could you please send us the GPMC logging?
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, March 21, 2016 1:27 AM
    Moderator
  • Hi Ethan,

    We have the same problem and I am wondering what you found about it. Basically "Enable certificate rules" for user configuration group policy is grayed out. This creates a little problem for us as we hope the same rule should work when a domain user logged in.

    Unlike computer configuration which applies when a computer joins the domain, the user configuration applies when a domain user logs on. The disadvantage of computer configuration software restriction policy is that users with local admin rights can disable software restriction policy through local security policy which disables the software restriction policy coming from domain computer configuration group policy.

    With user configuration software restriction policy, domain users who has local admin rights cannot bypass the software restriction rules applied from user configuration even though they can disable local software restriction policy and at the same time disables the software restriction policy from computer configuration group policy.

    All in all, if the certificate rules for user configuration works, that would be great. When will this happen and why not?

    Thanks,

    George.

    Tuesday, April 04, 2017 5:03 PM
  • > The disadvantage of computer configuration software restriction policy is that users with local admin rights can disable software restriction policy
     
    This is not a disadvantage. Users with admin rights can enable/disable everything you impose on them. There is NO WAY to restrict a local admin.
     
    > domain users who has local admin rights cannot bypass the software restriction rules applied from user configuration
     
    regedit, delete the safer key and SRP is gone... Thinking about preventing regedit? No problem, use WMI/VBS/Powershell/xyz. Using whitelisting and only allow office apps? No problem, use a macro. Preventing macros in office? No problem, craft a html page with some javascript. Get the picture? If I am admin, I OWN the system :)
     
    Wednesday, April 05, 2017 1:26 PM
  • I have to admit your argument for that local admin owns the computer is really convincing. But in practice, there are some real differences between legitimate operations and those illegitimate actions. Surely local admin can do a lot damage if they are the really local admins and know how. In most cases, because of the windows operation system and/or the developing tools, our web developers have to have local admin rights in order to get their work done. In these cases, I would argue that making it harder for them to bypass SRP is not a bad option.

    Certainly I agree in principle, that the rules for SRP should be clear and clean. I can only wish that the same rule be used to create tools and systems for regular users. That way then we will not be forced to let regular users have local admin rights and our computer systems would be much more secure.

    Thursday, April 06, 2017 4:59 PM