Software restriction policy not working correctly

Similar Messages

• Software Restriction Policy not allowing Program Files directory on 64-bit machines

  I've created a new software restriction policy, my default security level is set to "Disallowed", I have the standard built-in allowed locations:
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
  and I added another exemption for the C:\Program Files (x86) directory:
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
  However, on my 64-bit machines, there are still programs being blocked in C:\Program Files:
  C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe
  C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe
  These same programs are not being blocked on my 32-bit machines, but the same policy is being applied to both and the programs are installed in the same locations on both.
  I checked the registry on one of the 64-bit machines, and the default registry key exemption specified above:
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
  does exist on the 64-bit machine and it is set to C:\Program Files, exactly like the 32-bit machines. So why are programs still being blocked here?
  Shaun

  Hi Shaun,
  >>on my 64-bit machines, there are still programs being blocked in C:\Program Files:
  Before going further, are all the applications under the path not able to run or just some ones? Besides, when we run the applications mentioned above, did it tip that it's blocked by group policy? Here, we can run command
  gpresult/h gpreport.html with administrative privileges to collect group policy result report to check if this is caused by some other GPOs.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Parental Controls Content Restrictions do not work correctly in iTunes?

  I cannot seem to get the content restrictions to fully work in the iTunes Store. The Content Restrictions state that I will not be able to preview, purchase or subscribe to content that is marked as explicit:
  But after setting the Applications level to 4+ and making sure the "Restrict explicit content" box is checked:
  I am still able to view apps for a 17+ audience. The "Entertainment" section of the App Store is filled with applications that feature sexually graphic content (i.e. pictures of nude women in suggestive positions.) The settings do stop me from purchasing the apps. The "Buy App/Get App" button is grayed out so I cannot get the app, but I am still able to preview the app, including screen shots of graphic content along with detailed descriptions.
  Is there a step that I missed? How do I make the 17+ apps not visible? I do not want to disable the entire App store, just the explicit content.
  Thanks!

  I do not understand why APPLE is making it Rocket Science to protect our kids from this por-nography through their Store.
  I have been in a dialgue with APPLE now for 2 weeks about the APP's that continue to come up, and researching further their podcasts also. They continue, as recommended here, to suggest that you complain to the a feedback link that, unfortunately, ends with a thank you and we will not be contacting you personally about this.
  My suggestion is that you go to one of their 24 hour response links, here is one! (http://www.apple.com/support/itunes/contact.html?form=app_store&topic=App%20Stor e&subtopic=Downloading%20and%20updating%20Applications) and complain there. It is their respondsibility to manage their content.
  The other suggestion is to notify everyone you know of your issue with APPLE and encourage them to also notify APPLE!
  Everyone that I have notified is equally dissatisfied with APPLE.
  Shame, we have to go so far to get APPLE to do what's right!

• Software Restriction Policy not blocking MSI files

  Hello, we have one SRP in place on our domain that includes MSI files in the Designated File Types, however it is not blocking users from running them.  Has any one else had this issue?  What are some things I should look out for?  Thanks.

  Hi Erin,
  >>we have one SRP in place on our domain that includes MSI files in the Designated File Types, however it is not blocking users from running them.
  Are these users standard user accounts (without administrative privileges) ? Besides, what SRP rule did we configure to disallow the .msi files? Here, we can run command
  gpreport.html gpresult/h to collect  group policy result report to check how group policy settings are applied. Note, to collect computer part group policy setting report, we need to run the command with administrative privileges.
  In addition, to block .msi files, we can also use Applocker to do this. Regarding Applocker, the following article can be referred to for more information.
  AppLocker Overview
  https://technet.microsoft.com/en-us/library/hh831440.aspx
  Understanding AppLocker Rules
  https://technet.microsoft.com/en-us/library/dd759068.aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Windows Media Center - wont launch...due to Software Restriction Policy???

  Current system:
  Windows Vista x64 Ultimate RETAIL installed onto clean system.
  UAC disabled
  Using full administrator account w/ no restrictions
  Problem:
  Anytime I attempt to launch Windows Media Center or Media Center Extender I receive the following popup error and the program does not attempt to to even start:
  Error:
  [Windows Media Center
  "Windows cannot open this program because it has been prevented by a software restriction policy.  For more information contact your system administrator."
  Summary:
  When I initialy installed the OS, this problem did not exist.  I was able to launch WMC just fine.  Only after a couple month of reinstalling necessary base applications do I now get this error.  My family cannot even use it as an extender for the XBOX360 anymore. 
  From what i can tell there are a lot of people with this issue and NO SOLUTION from MS as yet.  I did see in one post that someone else had this error and was able to correct it by setting WMC as the default application in "Default Programs --> Set Program Access and Computer Defaults"  This did not work for me at all.  At this point I am at a complete loss.  Any insight would be appreciated.
  -J

  For Windows 8 here was the solution that FIXED it for us:
  http://windows.microsoft.com/en-us/windows-8/set-program-access-computer-defaults
  To start, open the Set Program access and computer defaults page:
  Swipe in from the right edge of the screen, and then tap Search.
  (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then clickSearch.)
  Enter control panel in the search box, and then tap or click Control
  Panel.
  Under View by:, select Large
  Icons, and then tap or click Default Programs.
  Tap or click Set program access and computer defaults.
  Set program access
  If you want to make a program inaccessible without uninstalling it, you can set it so it doesn't appear where programs are typically listed.
  On the Set Program access and computer defaults page, under Choose
  a configuration, tap or click Custom.
  Clear the Enable access to this program check box next to the programs you want to make inaccessible,
  and then tap or click OK.
  Shawn Lafferty

• Firefox 8.0.1 bypasses Windows software restriction policy and Windows UAC

  With the release of Firefox 8.0.1, Firefox bypasses Windows Software Restriction Policy (SRP).
  With Firefox 8.0.0 - (and previous), Firefox conformed to the policy set forth in SRP.
  In addition to the fact that Firefox completely ignores Windows SRP, Firefox also ignores Windows User Account Control. Standard, non-admin, accounts are able to install Firefox without administrative privileges. When the user executes the Firefox installer, Windows UAC prompts the user to elevate to install the program. If the user clicks "no" the Firefox installer continues past UAC and installs the program in the user's %appdata%\local folder instead of the %programfiles% (if the user were to elevate). Any other program would have ceased the installation if not elevated.
  I haven't seen any other software ignore SRP and continue to run and/or bypass UAC and continue to install.
  Please advise on what software policy needs to be in place to prevent Firefox from being installed and ran on my domain.

  UAC prevents software from making system-wide changes without an administrator's consent. It's purpose isn't for IT staff to control which software may run, though most installers try to make their software available to all users on the computer.
  Are you checking the hash of the installer instead of the executable? Firefox get's updated frequently enough that maintaining hashes will be a lot of work.
  I haven't tried this, but perhaps populating user profile folders with a read-only path will cause the Firefox installer to fail. You'll also need to consider [http://portableapps.com/apps/internet/firefox_portable portable firefox]

• Internet Explorer 11 "Enterprise Mode" do not work or do not work correctly!

  Dear community,
  Since yesterday we test the Feature "Enterprise Mode" for "Internet Explorer 11". However, we have many problems
  with this Feature. We have configured it as described by officially instruction by MS, but it does not work
  properly. Here is what we have done exactly to test this Feature:
  In Registry Key " HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Internet Explorer \ Main \ Enterprise Mode " we have created the Entry " Site List " and create the string " Enable" . In the
  String "Enable" we have added no value . 
  In Case of String "Site List" , we have specified the path to the XML file , as value of this String.
  The XML file was created with the Site List Manager from Microsoft
  And now, we regocnized following Problems:
  The "Enterprise Mode" ist only "active", if the User(!) check "Enterprise Mode" under "Tools"...!
  The site list is seemingly ignored, although in the Registry "currentversion" is pulled correctly, everytime we change
  the XML File. So we think "SiteList" is configured well.
  On one of our test computer freezes Internet Explorer 11 , if you try to hook the corporate mode
  In Summary, it seems to be configured properly but it even do not work or not work correctly.
  Our goal would be:
  Enterprise Mode + access to the Site List by IE11 should be "on" by Default!
  Entrys of sitelist.XML should be filtered and shown in "Enterprise Mode" or/and the right "DocMode", as configured.
  The user should have no chance  to check on or off the"enterprise mode"
  We use "Windows 7" on all our Clients, as test Clients are also running the same operating System...
  Please reply
  Thank you very much
  Greetings!
  Ps: Please do not be angry if pronunciation or grammar do not fit well. English is not my nature language (my nature language is german)

  Hi，
  According to your description, seems the end-users can manually turn on\off the enterprise mode, If you don''t want this, you can disable the option.
  Computer(User) Configuration > Administrative Templates > Windows Components > Internet Explorer\Let users turn on and use Enterprise Mode from the Tools menu option
  Disable this option, user will not have "Enterprise Mode" under "Tools", after that, please run gpupdate /force to update the policy, and get "Use the Enterprise Mode IE website list" applied again in the target system.
  After that, the enterprise mode website list get applied again, and user don't have an option to disable it.
  Yolanda Zhu
  TechNet Community Support

• Software Restriction Policy batch vs vbs

  Hi there,
  I have recently implemented a Software Restriction Policy on a Computer level with Disallowed level as default.
  I whitelisted the \\mydomain\SysVol so that my Group Policies could run.
  I have a few batch files that run upon user logon. The batch files run but the the commands within them do not, they are being "access denied"
  example of one of the batch files:
  sc start servicexyz, killtask processxyz
  if I were to convert my batch script into a vb script, would vb script be treated as a single file? unlike batch file which makes calls to other executables.
  Thanks,

  What you are trying to do cannot be done with a GP and  cannot be done with a script.  Thisis becsue what you are trying to do makes very little technical sense.  Either delegate the right or use another method.
  ¯\_(ツ)_/¯
  This is how it worked for me just fine before I introduced SRP. 
  When user logged off, a logoff batch script used "sc start service" to start service
  When user logged on, a logon batch script used "sc stop service" to stop a service from running
  Before SRP, all of my users were local administrators of their computers so permissions were not in a way. After the SRP introduction,
  I had to remove all users local admin right and now experience this issue.
  Do you mean it makes little technical sense with SRP or in general? Care to elaborate please?
  Why do you think you have to start and stop the service all of the time?  It sounds like a design issue or an issue with  a bad service.
  You can use SC to give users permissions on a service.  You can give out just start and stop (control) to a group thyne add or remove users from the group.
  The group can be a domain group and GP can change the security on a service.
  ¯\_(ツ)_/¯

• RoboHelp9 HTML won't open software restriction policy

  My system administrator installed my upgrade to RoboHelp 9 today, but RH HTML won't open and gives a "Windows cannot open this program because it has been prevented by a  software restriction policy" error. Note that I do not have admin rights to my PC.

  Thanks you for quick answer.
  But I have tryed set this options to false.
  And restart FF.
  Nothing, error still present.
  browser.download.manager.scanWhenDone;false
  services.sync.prefs.sync.browser.download.manager.scanWhenDone;false
  Now i have write small test application thats will start program
  <pre><nowiki>#include <windows.h>
  #include <stdio.h>
  void main(int argc, char *argv[])
  static char CommandLine[4096];
  if(argc < 2)
  printf("\nSoftware Restriction Policy ByPass for FireFox Thunderbird.\n"
  "Set this Application Name as Mail Attachment Processing Handler.\n");
  return;
  sprintf(CommandLine, "Start %s", argv[1]);
  system(CommandLine);
  }</nowiki></pre>
  Application is setup in FF as application for .doc files. And start. But error still present.
  But if I set IE as application for .doc files IE will start and will open .doc with Word!
  I have found that MS Office and 7-zip, that not works, - are 64 bits applications.
  Foxitreader is 32 bit application that is work normally.
  Firefox also is 32 bit.

• Software Restriction Policy

  Hi,
  We have applied Software restriction policies on a Test LAB to restrict the unwanted applications from running. We have made exception path, hash rules for genuine applications and software.
  We have observed that if the exception list grows large then we cannot open or change GPO's and clients also cannot apply policy. Once we restore it back from Backup it works fine again.
  I wanted to know is there any limitation to the exception list after which we should consider creating additional policy.
  Thanks

  Hi Sukhwin08,
  Based on my knowledge, there is no limited about the amount of the Software restriction policy.
  Please help to enable the GPSVC debug logging on problematic client machine if the SRP cannot apply successfully, this log records the detailed information about the group policy applying
  process which is very useful for troubleshooting the group policy related issues. To do so, add the following registry entry:
  Sub-key:HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
  Entry:      GPSvcDebugLevel
  Type:      REG_DWORD
  Value:     30002 (HEX)
  After you make this change, run
  gpupdate /force on the computer to reproduce the issue. After that, compress the %SystemRoot%\Debug\UserMode\ folder and check of there are any errors about the issue.
  Please note: the registry key Diagnostics does not exist by default, we need to add it first. In addition, we can disable the debug logging after the troubleshooting.
  Regards,
  Lany Zhang

• Software Restriction Policy/AppLocker Restricting Process by Parameters

  Is there any way with Software Restriction Policy or AppLocker to restrict the parameters a process is called with? For example we only want to allow: some.exe <this is OK to run>, but block everything else passed to that exe at start-up?

  Hi,
  >>Is there any way with Software Restriction Policy or AppLocker to restrict the parameters a process is called with?
  How is it going? Based on the description, I am afraid that we should not be able to acheive this. As you may already know, both SRP and Applocker use policy rules to restrict or un-restrict softwares. The policy rules of SRP are: Certificate rules, Hash
  rules ,Internet zone rules, Path rules ; the rule conditions of Applocker are: Publisher, Path, File hash.
  Regarding SRP rules and Applocker rules, the following articles can be referred to for more information.
  Work with Software Restriction Policies Rules
  http://technet.microsoft.com/en-us/library/hh994597.aspx
  Understanding AppLocker Rules
  http://technet.microsoft.com/en-us/library/dd759068.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• I bought an IPAD air from state and the screen is not working correctly and right now i'm in Egypt ,can i send my ipad to service in Egypt and the warranty will work in Egypt or what?

  i bought an IPAD air (32 gb wifi only) from USA just one month ago and the screen is not working correctly(picture attached) and right now i'm in Egypt ,can i send my ipad to service in Egypt and the warranty will work in Egypt or what?

  Have you tried a soft-reset to see if that fixes it ? You might be able to get warranty service in Egypt for your iPad, but the warranty includes :
  IMPORTANT RESTRICTION FOR iPHONE AND iPAD SERVICE.
  Apple may restrict warranty service for iPhone and iPad to the country where Apple or its Authorized Distributors originally sold the device.
  As it's wifi-only you should have a better chance of it being serviced under warranty, but there are no guarantees, it might depend upon the repairer.
  Egypt authorised service providers : https://locate.apple.com/eg/en/

• How to apply Software Restriction policy for specific user in local group policy object ?

  I am working on implementing user based software restriction policy programmatically for local group policy object.
  If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
  When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
  They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
  I achieved what i wanted but is it right to modify registry values ?  
  PS:- I am using Igrouppolicyobject API

  I achieved what I wanted but is it right to modify registry values ?
  You also can modify a registry programmatically based policy. Check this:
  http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Sleep not working correctly

  Since updating my Late 2010 iMac to Moutain Lion the sleep function does not work correctly. They system keep waking up for no reason. The monitor comes comes day or night. I cannot figure out a fix or work around. Any ideas?

  Please read this whole message before doing anything. This procedure is a test, not a solution. Don’t be disappointed when you find that nothing has changed after you complete it. Step 1 The purpose of this step is to determine whether the problem is localized to your user account. Enable guest logins* and log in as Guest. For instructions, launch the System Preferences application, select Help from the menu bar, and enter “Set up guest users” (without the quotes) in the search box. Don't use the Safari-only “Guest User” login created by “Find My Mac.” While logged in as Guest, you won’t have access to any of your personal files or settings. Applications will behave as if you were running them for the first time. Don’t be alarmed by this; it’s normal. If you need any passwords or other personal data in order to complete the test, memorize, print, or write them down before you begin. Test while logged in as Guest. Same problem(s)? After testing, log out of the guest account and, in your own account, disable it if you wish. Any files you created in the guest account will be deleted automatically when you log out of it. *Note: If you’ve activated “Find My Mac” or FileVault, then you can’t enable the Guest account. The “Guest User” login created by “Find My Mac” is not the same. Create a new account in which to test, and delete it, including its home folder, after testing. Step 2 The purpose of this step is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login. Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode* and log in to the account with the problem. The instructions provided by Apple are as follows: 
  Shut down your computer, wait 30 seconds, and then hold down the shift key while pressing the power button.
  When you see the gray Apple logo, release the shift key.
  If you are prompted to log in, type your password, and then hold down the shift key again as you click Log in.
   Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs. The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin. *Note: If FileVault is enabled, or if a firmware password is set, or if the boot volume is a software RAID, you can’t boot in safe mode. Test while in safe mode. Same problem(s)? After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of steps 1 and 2.

• IPhone 3Gs notes not working correctly

  I use notes app all the time on my iPhone and noticed today that it is not working correctly. When I make a new note it takes forever to save it, meaning the little indicator keeps spinning on top showing the iPhone is working. Then once it is saved if I close it and come back into it to add something more to the note, it saves it for a second and then deletes what I just added. What can I do to fix this? I have a 3Gs software version 4.0.1. Thanks

  I did the reset and it 'appears' to be working. I still need to test it more before I am convinced. The reason I say this is because it still takes an abnormally long time to save a new note. I simply type one word into the notepad and say 'done' and the indicator at the top spins for several minutes. The information is still in the note so maybe its working. I wonder why it takes that long? Is that typical? I dont recall if it was always like that or I just noticed it because the function was not working properly??