Policy Plus brings Group Policy to all Windows editions

[John C.]

Note: I haven't tried this yet. Looks promising though.
_______________________________________________________________________

Local Group Policy Editor plus more, for all Windows editions.

Goals

Policy Plus is intended to make the power of Group Policy settings
available to everyone.

Run and work on all Windows editions, not just Pro and Enterprise
Comply fully with licensing (i.e. transplant no components across
Windows installations)
View and edit Registry-based policies in local GPOs, per-user GPOs,
individual POL files, offline Registry user hives, and the live Registry
Navigate to policies by ID, text, or affected Registry entries
Show additional technical information about objects (policies,
categories, products)
Provide convenient ways to share and import policy settings

Non-Registry-based policies (i.e. items outside the Administrative
Templates branch of the Group Policy Editor) currently have no priority,
but they may be reconsidered at a later date.

System requirements

Policy Plus requires .NET Framework 4.5 or newer. That can be installed
on Windows Vista or newer, and comes preinstalled on Windows 8 or newer.
Policy Plus should also work on the corresponding server OSes: Windows
Server 2008 or newer. The standard .NET Framework hardware requirements
are sufficient for Policy Plus.

Special considerations for use on Home editions

Some administrative templates are present by default on these editions,
but many are missing. The newest full package can be downloaded from
Microsoft and installed with Help | Acquire ADMX Files.

The RefreshPolicyEx native function has reduced functionality on
editions without full Group Policy infrastructure, so while Policy Plus
can edit the local GPO and apply the changes to the Registry, a reboot
or logon/logoff cycle is required for some policy changes to take effect.

While the UI allows the creation and editing of per-user GPOs, their
settings cannot be applied on these limited editions of Windows. If you
need to change a policy setting for only one user, open the "user hive"
source instead. Per-user local GPOs, a fairly arcane Windows feature,
are not to be confused with policies that apply to the User section.
Policy Plus supports user policies on Home editions just as well as
computer policies.

Home page: https://github.com/Fleex255/PolicyPlus
Download: https://github.com/Fleex255/PolicyPlus/releases/tag/May2020

Major Geeks page about the program:
https://www.majorgeeks.com/files/details/policy_plus.html

--
John C. BS206. No ad, CD, commercial, cripple, demo, nag, pirated,
share, spy, time-limited, trial or web wares for me please. I filter out
posts made from Google Groups and cross-posted (sent to more than one
newsgroup at a time) messages. I recommend you do likewise.

[VanguardLH]

From the MajorGeeks article:

"There is no version number yet. It is considered early development
but as far as we can tell, it's stable and bug-free. It should be
regarded as an alpha build for now."

In QA testing, even alpha versions get version numbers, so this tool
should be considered pre-alpha quality; i.e., highly experimental. For
now, they just using datestamps to identify code branches. There isn't
much activity going on considering this is a pre-alpha quality tool.
One date tag is May 2020 and the second is Jun 2021. That's a year
apart between code branches.

There are hidden functions inside of Windows regarding the creation of
policies that are assigned a hash via the crypto API that gpedit.msc
will call. I haven't deeply delved into how this hash is created to
know how it works, like how the hash is generated. For example, when
defining SRPs (Software Restriction Policies), you cannot simply use
regedit.exe to define them.

https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies

You can try to define SRPs using regedit.exe, or some 3rd party tool,
but you won't be able to define the safety hash that gets assigned to
them to prevent malware from doing exactly what you are doing with the
registry editor, or via .reg files to apply registry changes. An SRP is
protected from unauthorized modification by having a hash that only
Windows knows to define in cooperation with the Microsoft-based policy
editor. SRPs are very handy to allow/block an application from loading.
Think of them like application firewalls: instead of blocking
connections, SRPs decide whether to allow or block loading of apps. For
example, some apps cannot have their outbound connections blocked to
prevent automatic updating, because that would impact or nullify the
purpose of a web-centric app. If they use a separate updater program,
you could block that from loading.

This is similar to protected filetype definitions. Some get a
UserChoice registry entry that has a hash value that only Windows can
generated by using the Default App wizard. You cannot create the crypto
key yourself (it will be invalid). You cannot copy the UserChoice entry
into the registry (the hash won't be valid). This is to prevent
malware, or rudeware, from altering the filetype definitions without
your authorization. While filetypes just get a hash value assigned to
them, as I recall the SRP entries themselves are crypto scrambled. When
you define them in the policy editor, looking at them using regedit.exe
show the data item values are encrypted. I don't have a Pro host to
check if my recollection is correct. There are crypto entries that
regedit.exe won't show you no matter how many permissions you have.
It's a user-mode viewing tool, as would be any 3rd-party tool. As a
user, even as an Administrator, you don't get to see everything in the
registry.

There are lots of non-protected registry entries, so using regedit.exe,
reg.exe files, or 3rd-party tools will work for most policies. All
policies are registry entries, but some of those are crypto protected,
and only Microsoft's policy editor along with keys embedded in Windows
can assign the proper hashing to a policy entry, or other protected
entries. I search their Issue records, and nothing shows up regarding
crypto protection, or even for hash data values assigned to entries.

[JJ]

On Mon, 29 Nov 2021 11:15:28 -0600, VanguardLH wrote:
> "John C." <r9j...@yahoo.com> wrote:
>
>> Note: I haven't tried this yet. Looks promising though.
>> _______________________________________________________________________
>>
>> Local Group Policy Editor plus more, for all Windows editions.

[snip]

>> Home page: https://github.com/Fleex255/PolicyPlus
>> Download: https://github.com/Fleex255/PolicyPlus/releases/tag/May2020
>>
>> Major Geeks page about the program:
>> https://www.majorgeeks.com/files/details/policy_plus.html
>
> From the MajorGeeks article:
>
> "There is no version number yet. It is considered early development
> but as far as we can tell, it's stable and bug-free. It should be
> regarded as an alpha build for now."

I actually had to use it, since Windows own Group Policy management console
broke where it'll freeze waiting for something if filter is enabled. No
error message or log whatsoever. It used to work but not anymore. Moreover,
Policy Plus has better search feature.

[John C.]

Note the last phrase.

> It should be
> regarded as an alpha build for now."
>
> In QA testing, even alpha versions get version numbers, so this tool
> should be considered pre-alpha quality; i.e., highly experimental. For
> now, they just using datestamps to identify code branches. There isn't
> much activity going on considering this is a pre-alpha quality tool.
> One date tag is May 2020 and the second is Jun 2021. That's a year
> apart between code branches.

Oh well, at least it's been under development for four years now.

> There are hidden functions inside of Windows regarding the creation of
> policies that are assigned a hash via the crypto API that gpedit.msc
> will call. I haven't deeply delved into how this hash is created to
> know how it works, like how the hash is generated. For example, when
> defining SRPs (Software Restriction Policies), you cannot simply use
> regedit.exe to define them.
>
> https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
>
> You can try to define SRPs using regedit.exe, or some 3rd party tool,
> but you won't be able to define the safety hash that gets assigned to
> them to prevent malware from doing exactly what you are doing with the
> registry editor, or via .reg files to apply registry changes. An SRP is
> protected from unauthorized modification by having a hash that only
> Windows knows to define in cooperation with the Microsoft-based policy
> editor. SRPs are very handy to allow/block an application from loading.
> Think of them like application firewalls: instead of blocking
> connections, SRPs decide whether to allow or block loading of apps. For
> example, some apps

Are you talking about "apps" or applications? In Windows 10, there is a
difference between the two.

The program has been under development since at least 2017, since I saw
discussion about it that was dated in July of that year:

https://www.ghacks.net/2017/07/25/policy-plus-brings-group-policy-to-all-windows-editions/

Perhaps they only included settings and options that are allowed?

Regardless, thanks very much for all the information. Even though at a
first glance PolicyPlus might seem like being better than nothing for
people who have home versions of Windows, it might not be worth the risk
of using something that might munge the OS into unfunctionality.