none
Software Restriction Policy - Certificate Rule

    Question

  • Good day,
    I currently have Software Restriction Policy enabled in our domain.
    The Security Level is set to "Disallowed" which means no executables are allowed unless the user is administrator.

    It's become very frequent now that people need to launch online meeting tools such as Webex, Gotomeeting, Joinme, Zoom, etc.
    Obviously,normal users cannot do so as SRP restrict exe, msi execution. This requires administrator user's permission to have these applications launched.

    I am thinking that perhaps I could use "Certificate Rules" to whitelist aforementioned companies' certificates.
    However, how do I get the actual certificate files? (.cer)

    Any idea if my approach is sound? ideas?
    Many thanks for any help you can provide
    Wednesday, May 04, 2016 10:40 PM

Answers

  • To get the certificates from installer. FYI.

    Go to properties of installer file -> Digital Signature -> Details -> View cert -> Save.


    Devaraj G | Technical solution architect

    • Marked as answer by Multra Monday, May 09, 2016 8:21 PM
    Friday, May 06, 2016 2:30 PM

All replies

  • Hi Multra,

    You could export certificate from certificate on MMC.

    Here are two articles below for your reference.

    Create a certificate rule

    https://technet.microsoft.com/en-us/library/cc757067(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 06, 2016 8:05 AM
    Moderator
  • To get the certificates from installer. FYI.

    Go to properties of installer file -> Digital Signature -> Details -> View cert -> Save.


    Devaraj G | Technical solution architect

    • Marked as answer by Multra Monday, May 09, 2016 8:21 PM
    Friday, May 06, 2016 2:30 PM
  • @Jay

    Thanks, that works!

    • Edited by Multra Friday, May 06, 2016 8:19 PM
    Friday, May 06, 2016 7:57 PM
  • @Devaraj G,

    This is what I ended up doing, thanks.

    • Edited by Multra Friday, May 06, 2016 8:19 PM
    Friday, May 06, 2016 7:57 PM
  • Is there a way to import two similar named certificates, with different dates?

    Seems like GoToMeeting for example has some dll and exe that have different validity dates. SRP does not let me add the same named certificate.


    • Edited by Multra Friday, May 06, 2016 8:20 PM
    Friday, May 06, 2016 8:03 PM
  • Hi Multra,

    In my opinion, we cannot import two same name certificates to software rule.

    In addition, if the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar problem.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 09, 2016 11:43 AM
    Moderator