It seems that since windows 10 ntdll has security feature called "ProtectedPolicies" - you can query it with RtlQueryProtectedPolicyfunction. Prototype of this function is:
NTAPI NTSTATUS RtlQueryProtectedPolicy(GUID *, PDWORD out_flag);

Lets see how it works:

loc_6A277EFB:   ; CODE XREF: RtlQueryProtectedPolicy(x,x)+12 j

  push    edi

  mov     edi, offset _RtlpProtectedPoliciesSRWLock

  push    edi

  call    _RtlAcquireSRWLockShared@4    ; RtlAcquireSRWLockShared(x)

  push    offset _RtlpSearchProtectedPolicyEntry ; PtFuncCompare

  push    14h                           ; SizeOfElements

  push    ds:_RtlpProtectedPoliciesActiveCount ; NumOfElements

  push    ds:_RtlpProtectedPolicies     ; Base

  push    [ebp+Key]                     ; Key

  call    _bsearch

That policies stored in array RtlpProtectedPolicies, count located inRtlpProtectedPoliciesActiveCount and size of each policy is 0x14 bytes (0x18 under x64), so each policy looks like struct:
struct protected_policy
{
  IID guid;
  DWORD flag;
};

Lets see from where RtlQueryProtectedPolicy called

ntdll.dll:

• from RtlpAddVectoredHandler with GUID {1FC98BCA-1BA9-4397-93F9-349EAD41E057}
• from RtlGuardCheckLongJumpTarget with GUID {4F6AE3A6-8B1B-4623-A293-294CD743BBD1}

kernel32.dll:

• from CheckForReadOnlyResourceFilter with GUID GUID_BasepAllowResourceConversion {739C343A-F3E1-4ED8-AC66-8435FEB7C5A5}

KernelBase.dll:

• from QueryProtectedPolicy function