@Or Tsemah 



My understanding is that on the older versions of OS, everyone has read only access.

However, on the newer versions, and the OS patched in the list below, this GPO is required to allow SAM-R.

Windows 10, version 1607 and later
Windows 10, version 1511 with KB 4103198 installed
Windows 10, version 1507 with KB 4012606 installed
Windows 8.1 with KB 4102219 installed
Windows 7 with KB 4012218 installed
Windows Server 2016
Windows Server 2012 R2 withKB 4012219 installed
Windows Server 2012 with KB 4012220 installed
Windows Server 2008 R2 with KB 4012218 installed

Now, MS recommends to enable the GPO in audit mode first to identify the apps that might require access, in order to avoid breaking things...


The issue in my case, is that unlinking the GPO, still doesn't fix OAB, and I think there can be other issues as well.

I was expecting the AATP documentation to be very clear and specific, unfortunately, it's not the case...

In the prod env, SAM-R is built for some accounts, but not for others, therefore the guideline of enabling AATP SAM-R is a bit inconsistent...


We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE