This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 52%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
On our multi-app kiosk, the message box titled "Restrictions" with the following message appears each time the system attempts to start "%SYSTEM32%\CLEANMGR.EXE"; which is an allowed app.
"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."
Following the documentation, I have reviewed the following event logs:
Error ID 8004 is listed in the "EXE and DLL" log at 4/26/2021 4:13:25 PM by provider Microsoft-Windows-AppLocker with the following message:
%SYSTEM32%\CLEANMGR.EXE was prevented from running.
I have a Windows 10 1903 (18362.1256 build) Dell OptiPlex 7050 setup as a multi-app kiosk. I have allowed multiple applications using the "AllowedApps" list in the xml file of the assigned access configuration XML file. Here is a redacted copy of the assigned access configuration XML file. I've used both the App User Model ID (AUMID) and the full path of the executable. I've verified the xml using the XSD. I added the configuration XML to the Windows Configuration Designer project. From the Windows Configuration Designer I exported the provisioning package, copied to the kiosk, installed the provisioning package, and rebooted. I ran the following as administrator to confirm there were no errors:
Get-ProvisioningPackage -AllInstalledPackages -Verbose
...some output omitted...
Rank : 11
Altitude : 5011
Version : 3.14
OwnerType : ITAdmin
Notes :
LastInstallTime : 4/22/2021 4:12:04 PM
Result : 0__AssignedAccess_MultiAppAssignedAccessSettings.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
1__Policies_Start_HideLock.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
2__Policies_Start_HideShutDown.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
3__Policies_Start_HideSleep.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
4__SMISettings_AutoLogon.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
5__SMISettings_BrandingNeutral.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
6__SMISettings_NoLockScreen.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
When booting the system signs in as the Active Directory user account, and the desired Excel workbook opens. I can further review the settings that the provisioning package created by looking at the registry and Group Polices. In the user's registry hive at "...\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", I can see that the "RestrictRun" DWORD is set to 1. The associated subkey of "RestrictRun" lists the various applications, each in their own string value, including the "CLEANMGR.EXE". Running the following as administrator to get a Group Policy result I can see the "CLEANMGR.EXE" is listed under User > Settings > Policies > Administrative Templates > System > Run only specified Windows applications.
Get-GPResultantSetOfPolicy -Computer [comptuername] -User [kiosk.username] -ReportType Html -Path c:\GPresult\20210426.html -Verbose
I am intentionally blocking most applications and need to continue to prevent the kiosk user from running most applications. I do want to allow the workstation to run any application for system health (anti-virus, updates, maintenance application, etc.). I do not want to disable applocker.
How do I stop the applocker from blocking the CLEANMGR.EXE application?
OR
How do I hide the message box displaying the error to the kiosk user?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 46%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Check for Variable path in system. As Kiosk and user domain is same.
%SYSTEM32%\ variable is accessible from RUN ?
If not, need to make necessary changes.
Great job @Manasi Shirke (CONVERGYS CORPORATION) ,
I am no longer getting the error for application cleanmgr.exe! :D
I Still am getting the error, but might be for applications that I have not whitelisted; or, maybe the applocker rules are conflating with my assigned access list. Will take me a few days to track down. I have other more pressing projects.
Thank you for keeping your head and staying calm while I was at my wits end.
I checked your assignedaccessconfiguration.xml, yes, cleanmgr.exe has been added into your AllowedApps.
Since AppLocker prevent cleanmgr.exe from running, I suggest to manually Allow this Executable Files in AppLocker.
Use AppLocker to Allow or Block Executable Files in Windows 10 | Tutorials (tenforums.com)
https://www.tenforums.com/tutorials/124008-use-applocker-allow-block-executable-files-windows-10-a.html
Besides,
Make sure you don’t configure Don’t run specified Windows applications GPO.
Make sure there is not a key called DisallowRun in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 80%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Hello,
We are using Microsoft Teams Desktop app in Multi-App kiosk mode configuration. We are encountering same error when we try to launch Teams in Kiosk mode
Looking for solution for the same
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 71%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
I'd assume you would need to call "com.squirrel.Teams.Teams" for the AUMID depending on how Teams is installed. Go to Start > Run and type "shells:appfolder" then in Explorer (that opens) change the view to Details. Highlight any app then click Alt and then click View on the toolbar and then choose details and check AppUseerModeID and look at the AUMID for Teams.
You can also try using the PowerShell command:
Get-StartApps|? name -like *team*
Thank you for reply.
I have used Microsoft Teams AUMID which is com.squirrel.Teams.Teams in the AUMID field which is picked up from shell:Appsfolder...
the Teams path is --> "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Teams.lnk"
the Teams appears in KIOSK mode when user logs on. however, when clicked, Teams wont launch. I have tried with autolaunch settings. When user logs on, it throws up an error
as in the screen capture
TThank you for the reply.
i could also get AUMID via the command you suggested. its the same as shell:Appsfolder
When I run the Get-StartApps command I see another APPID that suggests it might be related to teams:
Get-StartApps|? name -like *team*
Name AppID
---- -----
Microsoft Teams com.squirrel.Teams.Teams
Chat _ Microsoft Teams _crx_jgcnjkfgjcbggdmhnllapdghehgmiiim
Do you see something similar?
Thank you @Teemo Tang for reviewing my post and thank you for your sensible suggestion.
I've been hesitant to create AppLocker rule to directly Allow the executable file as the first note under AllowApps in Microsoft's Set up a multi-app kiosk advices to;
Avoid creating AppLocker rules that conflict with AppLocker rules...
I will try your suggestion today and report the results on Monday.
The "Don't run specified Windows applications" GPO is not set under user's GPO settings. Below is a screenshot of the Get-GPResultantSetOfPolicy which I ran this morning:
The is not a key or value of DisallowRun in [...User's Hive...]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Below is a screenshot of that key and it's values:
New error events continue to appear, but the user has not reported the message box appearing. Also, I now see a second event stating the exe was allowed to run.
ProviderName: Microsoft-Windows-AppLocker
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/3/2021 6:29:54 PM 8002 Information %SYSTEM32%\CLEANMGR.EXE was allowed to run.
5/3/2021 6:29:54 PM 8004 Error %SYSTEM32%\CLEANMGR.EXE was prevented from running.
5/3/2021 6:48:26 PM 8002 Information %SYSTEM32%\CLEANMGR.EXE was allowed to run.
5/3/2021 6:48:26 PM 8004 Error %SYSTEM32%\CLEANMGR.EXE was prevented from running.
Below it the output from the Get-AppLockerPolicy -Local:$true -Xml
<?xml version="1.0" encoding="UTF-8"?>
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="2cc2f8b5-7a2f-49ae-a3ec-214f61a7333d" Name="Signed by Microsoft Corporation" Description="Publisher exception for Microsoft.WebMediaExtensions" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="NotConfigured">
<FilePublisherRule Id="60e4d6a5-5157-4e30-9cef-3b3d9b1a20ac" Name="Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="Allow Microsoft Publisher" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="e6138701-efda-49a3-92c4-91936de21239" Name="%SYSTEM32%\CLEANMGR.EXE" Description="CleanMgr.EXE path exception" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%SYSTEM32%\CLEANMGR.EXE" />
</Conditions>
</FilePathRule>
</RuleCollection>
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
The user just reported that the message box has reappeared. Time stamp on image is from today (we are PST/DST). Likely from another app being blocked, but I do see error logs after the image time stamp relating to the CLEANMGR.EXE.
Date Taken 5/4/2021 3:47 PM
