none
Software Restriction Policies still applies when running as administrator RRS feed

  • Question

  • Hi all,

    Windows 10 Pro x64, enabled Software Restriction Policies via local security policy. VM is member of domaain.

    I have set enforcement to all users except local administrators but C:\Temp\install.bat keeps being blocked even when i run as administrator.

    I am logged on to the VM with my domain administrator account. the domain administrator group is a member of the local administrators group. I have NOT added my domain admin account straight in to the local admin group.

    Also i have not touched UAC.

    Any ideas?

    Wednesday, October 24, 2018 3:44 PM

Answers

  • So AppLocker is definitely not working for Windows 10 Pro, which is a bummer.

    Having said that, think i worked out SRP too, when you right click on an installer file and chose run as administrator, it is that EXE that bypass SRP, but not the EXE it extract into %localappdata% and then runs :)

    So the lesson learned is that you want to install your applications using some method of deployment that installs under SYSTEM and then just leave SRP to manage the running of applications.

    WHen manually walking around your machines installing software for users, SRP is a night mare :) but if we use KACE or GPO software deployment them we are good with installing software.

    Wednesday, October 31, 2018 8:44 AM

All replies

  • Hi,

    Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. I noticed you running Windows 10 on your system, so I recommend to use Applocker which is a new restrict tool used on Windows 7 and later operating system.

    When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored. For targeting a rule to a user or a group of users, SRP rules only apply to all users on a particular computer, but AppLocker rules can be targeted to a specific user or a group of users.

    As your issue occur on all user account, so I recommend to test with Applocker, it would meet your desire to grant different users with different privilege to run application. 

    AppLocker deployment guide

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 25, 2018 6:13 AM
    Moderator
  • Morning Joy-Qiao

    According to this article, SRP began with Windows Server 2008 and Windows Vista. That is direct contrast with what you just said.

    AppLocker is only for Windows 10 Enterprise or Education. not for Pro version.

    Please do let me know if you have any further advice for how to apply to normal users and not local admins.

    Thursday, October 25, 2018 7:06 AM
  • Good morning, 

    Thank you for your quick reply. 

    Here is what I referenced: Use AppLocker and Software Restriction Policies in the same domain in the upper reply.

    Considering your are using Windows 10, even through software restriction policies is also apply to Windows 10, but as you needs to restrict different group with different priviledge, I would like to recommend to use the lastest measure "Applocker" to configure.

    According to your sympton, it seems that software restriction policies apply to all accounts no matter local user account or administrator account on your side. It looks like the expect behavior throughout the description of the article, so we could try Applocker to check again.

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 25, 2018 7:57 AM
    Moderator
  • But this still does not address the fact that AppLocker is not supported on Windows 10 Pro.
    Thursday, October 25, 2018 8:37 AM
  • Hi, 

    According to my test, applocker also apply to Windows 10 Pro version 1803, try to tested on your side and check again. 

    Also since Windows 10 version 1803, Software Restriction Policies in Group Policy was added to no longer actively developing features list. For more information, please see:Features removed or planned for replacement starting with Windows 10, version 1803


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 25, 2018 9:56 AM
    Moderator
  • Hi Joy,

    So looking at https://docs.microsoft.com/en-gb/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker

    It says:

    "You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016."

    I wonder if that is only talking about managing the AppLocker policies I will do another test

    Thursday, October 25, 2018 12:30 PM
  • So that does appear to work actually. Having said that it broke the start menu on Windows 10 LTSB x64 1607

    I had to do a packaged apps rule. well the default rule seems to work.

    Do you have any good guides on AppLocker you can reference?

    Thursday, October 25, 2018 1:56 PM
  • Hi, 

    Thank you for your trust and cooperation.

    "Having said that it broke the start menu on Windows 10 LTSB x64 1607"

    Did you encounter this issue on your side?

    Yes, I have heard many customers say applocker have compatibility with start menu on specify system version. But as the environment on customers is complex and variable, it would be difficult to point out it was caused by the function or user's environment as it was not occur on every specific system devices. Windows 10 LTSB is a streamlined system version which only for safe and stable factory environment. So we could take as a different version from others. 

    I searched a steps manual about using Applocker, we could refer to:

    Blocking built-in apps in Windows 10 using Applocker

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 26, 2018 3:27 AM
    Moderator
  • Hi Joy,

    I have to apologise because while i got it working, it was on Windows 10 LTSB and not Pro.

    I have just applied policies to my work Windows 10 Pro and event viewer says this

    So it looks to me AppLocker does NOT work on Windows 10 Pro

    Friday, October 26, 2018 9:34 AM
  • So AppLocker is definitely not working for Windows 10 Pro, which is a bummer.

    Having said that, think i worked out SRP too, when you right click on an installer file and chose run as administrator, it is that EXE that bypass SRP, but not the EXE it extract into %localappdata% and then runs :)

    So the lesson learned is that you want to install your applications using some method of deployment that installs under SYSTEM and then just leave SRP to manage the running of applications.

    WHen manually walking around your machines installing software for users, SRP is a night mare :) but if we use KACE or GPO software deployment them we are good with installing software.

    Wednesday, October 31, 2018 8:44 AM