Help with disabling App Control for Business policy and Code Integrity

[brunoshure]

Hello!

I need help and I can't figure out what I'm doing wrong. I've read the wiki already and some things didn't work as intended.

Regarding App Control for Business and Code Integrity, here's the way they are set up:

App Control for Business policy: Enforced
App Control for Business user mode policy: Audit

How would you change from Enforced to Audit, at least in Kernel-mode, since User-mode is already on Audit?

I have read a bunch of documentation from Microsoft and according to them if the policy is Enforced you can't just disable it, you need to:
First - Change the policy to an Audit policy (it apparently needs to have the same ID);
Second - Then you can disable it (after rebooting).

I basically need to change an existing policy or create a new one that has AUDIT mode and deploy it.

This is where my problems start!

I've tried using App Control Wizard to create an AllowAll.xml policy and deploy it using Group Policy, to no avail. Then I found this app - AppControl Manager - which makes this job much easier. I can create, edit and deploy policies in a simple manner. But even then I can't properly configure these policies or edit existing ones to my liking. I'm probably doing something wrong. The app also doesn't allow me to edit some of the deployed policies. I don't know if this is an app problem or a problem with my policies.

Policies.mp4

As you can see, some of the policies show some type of error and the "Remove" button is greyed out.

I appreciate if someone could shed some light on this issue for me. It would really help, because I'm messing with some things on this test install and I need to disable these "features" like VBS and Code Integrity. Thanks in advance!

[HotCakeX]

Hi,
The Kernel-mode is always on Enforced mode by default because of this 👇

Depending on your hardware config and setup, there can be different ways to disable it. This doc goes over the UEFI lock scenario: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Device-Guard

[HotCakeX]

Is that toggle i showed you in the screenshot in the Microsoft Defender's GUI enabled or disabled? What essentially matters is how the live OS is currently configured

[brunoshure]

It's disabled.

[HotCakeX]

Is Smart App Control disabled too? Also when you reboot, do you still see the toggle for vulnerable driver block list being disabled?

[brunoshure]

Smart App Control is in Audit. Vulnerable driver block the toggle is still present, but currently disabled. Even after reboot.

If you have memory integrity, Smart App Control, or Windows S mode on, the vulnerable driver blocklist will be on too.

This is avaiable on this link: https://support.microsoft.com/en-us/windows/device-security-in-the-windows-security-app-afa11526-de57-b1c5-599f-3a4c6a61c5e2

I can guarantee all of those are disabled, including Smart App Control which I just disabled and rebooted.

Now it shows like this:

App Control for Business policy: Enforced
App Control for Business user mode policy: Disabled

[HotCakeX]

I'd try disabling Smart App Control instead of leaving it on eval mode. If all of them are fully disabled and you don't have any custom App Control policies deployed (not even audit mode ones) then it should be off for both kernel and user mode.