none
Software Restriction Polices option greyed out. Enforcement [When applying Software Restriction Policies]

    Question

  • I am using the Software restriction policies at a user level to prevent exe's from running in select areas. Since we have found an application which must be installable, I am trying to use a Certificate Rule to allow this to run.

    However, the rule does not work, because I cannot select the dot box {Enforce Certificate Rules} under Software Restriction Policies\Enforcement. It is greyed out and unselected. Under the Group Policy Results it is reported as {Ignore certificate rules}.

    I have enabled {System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies} which I note is under Computer Policies not User Polices. (There does not seem to be an equivalent under user.)

    Any help would be appreciated.

    Geoff.

    Enforcement Properties

    Wednesday, October 21, 2015 10:16 PM

All replies

  • Hello,

    Thank you for your post.

    This is a quick note to let you know that we are performing research on this issue.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, October 22, 2015 3:42 AM
    Moderator
  • > I have enabled {System settings: Use Certificate Rules on Windows
    > Executables for Software Restriction Policies} which I note is under
    > Computer Policies not User Polices.
     
    And the GPO containing this setting is linked to a Computer OU?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, October 22, 2015 8:12 AM
  • Hi Martin,

    I have it working as a computer policy. However, I am trying to implement it via users.

    Certificate based application control is listed in the User section, which suggests to me it should be available. In fact I've entered the certificates for allowing programs under the user policy as well, but because of the above, it ignores the setting. In the GPO results it reports this as "ignore certificated based rules".

    Geoff.

    Thursday, October 22, 2015 8:21 AM
  • > I have it working as a computer policy. However, I am trying to
    > implement it via users.
     
    As you already noticed: You have to enable "enforce cert rules" per
    computer, then you should be able to use them for the user. Never tried,
    to be honest - we are using AppLocker :()
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, October 22, 2015 8:42 AM
  • Hi Shaon,

    Have you been able to reproduce the issue?

    Geoff.

    Thursday, October 22, 2015 9:47 PM
  • Try to create a new GPO to apply "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies" to all computer first.

    GPupdate, then try it again.

    https://technet.microsoft.com/en-us/library/cc781511(v=ws.10).aspx
    Friday, October 23, 2015 9:35 AM
  • Hi Aravindhan,

    I have viewed and used that documentation.

    But it still does not make available the [Enforce Certificate Rules] option under the User GPO section. There-by allowing implementation of Certificate Based Rules via User GPO's.

    The computer based option is available and enabled, and works when using Computers objects to manage Certificate based rules. The user based option is not available (E.g. Greyed Out) and reports {Ignore certificate rules} under a GPO results report. And does not work.

    Regards,

    Geoff.

    Friday, October 23, 2015 11:43 AM
  • I'm suspecting it's something on your cert rule. Can you please confirm whether you have created the rule correctly with a good cert?
    Monday, October 26, 2015 10:06 AM
  • I'm quite confident that the certificate rule is valid as I've successfully set it up and used it using the computer based GPO.

    Monday, October 26, 2015 10:16 AM
  • OK, kind of out of luck on this. It's working pretty well on my side..
    Wednesday, October 28, 2015 2:08 AM