Share via

Multi-app Kiosk's Allowed desktop App Triggering Restrictions Error Message Box

MrMJFisher 46 Reputation points
2021-04-27T18:49:24.24+00:00

On our multi-app kiosk, the message box titled "Restrictions" with the following message appears each time the system attempts to start "%SYSTEM32%\CLEANMGR.EXE"; which is an allowed app.

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

91759-errormessage.jpg
Following the documentation, I have reviewed the following event logs:

  • Application
  • Security
  • System
  • Microsoft-Windows-AppLocker/Packaged app-Execution
  • Microsoft-Windows-AppLocker/Packaged app-Deployment
  • Microsoft-Windows-AppLocker/MSI and Script
  • Microsoft-Windows-AppLocker/EXE and DLL
  • Microsoft-Windows-AssignedAccess/Operational
  • Microsoft-Windows-AssignedAccess/Admin

Error ID 8004 is listed in the "EXE and DLL" log at 4/26/2021 4:13:25 PM by provider Microsoft-Windows-AppLocker with the following message:

%SYSTEM32%\CLEANMGR.EXE was prevented from running.

I have a Windows 10 1903 (18362.1256 build) Dell OptiPlex 7050 setup as a multi-app kiosk. I have allowed multiple applications using the "AllowedApps" list in the xml file of the assigned access configuration XML file. Here is a redacted copy of the assigned access configuration XML file. I've used both the App User Model ID (AUMID) and the full path of the executable. I've verified the xml using the XSD. I added the configuration XML to the Windows Configuration Designer project. From the Windows Configuration Designer I exported the provisioning package, copied to the kiosk, installed the provisioning package, and rebooted. I ran the following as administrator to confirm there were no errors: 

        Get-ProvisioningPackage -AllInstalledPackages -Verbose  
...some output omitted...  
    Rank            : 11  
    Altitude        : 5011  
    Version         : 3.14  
    OwnerType       : ITAdmin  
    Notes           :  
    LastInstallTime : 4/22/2021 4:12:04 PM  
    Result          : 0__AssignedAccess_MultiAppAssignedAccessSettings.provxml  
                            Category:UxLockdown  
                            LastResult:Success  
                            Message:Provisioning succeeded  
                            NumberOfFailures:0 (0x0)  
      
                      1__Policies_Start_HideLock.provxml  
                            Category:Policies  
                            LastResult:Success  
                            Message:Policies applied successfully.  
                            NumberOfFailures:0 (0x0)  
      
                      2__Policies_Start_HideShutDown.provxml  
                            Category:Policies  
                            LastResult:Success  
                            Message:Policies applied successfully.  
                            NumberOfFailures:0 (0x0)  
      
                      3__Policies_Start_HideSleep.provxml  
                            Category:Policies  
                            LastResult:Success  
                            Message:Policies applied successfully.  
                            NumberOfFailures:0 (0x0)  
      
                      4__SMISettings_AutoLogon.provxml  
                            Category:UxLockdown  
                            LastResult:Success  
                            Message:Provisioning succeeded  
                            NumberOfFailures:0 (0x0)  
      
                      5__SMISettings_BrandingNeutral.provxml  
                            Category:UxLockdown  
                            LastResult:Success  
                            Message:Provisioning succeeded  
                            NumberOfFailures:0 (0x0)  
      
                      6__SMISettings_NoLockScreen.provxml  
                            Category:UxLockdown  
                            LastResult:Success  
                            Message:Provisioning succeeded  
                            NumberOfFailures:0 (0x0)

When booting the system signs in as the Active Directory user account, and the desired Excel workbook opens. I can further review the settings that the provisioning package created by looking at the registry and Group Polices. In the user's registry hive at "...\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", I can see that the "RestrictRun" DWORD is set to 1. The associated subkey of "RestrictRun" lists the various applications, each in their own string value, including the "CLEANMGR.EXE". Running the following as administrator to get a Group Policy result I can see the "CLEANMGR.EXE" is listed under User > Settings > Policies > Administrative Templates > System > Run only specified Windows applications. 

Get-GPResultantSetOfPolicy -Computer [comptuername] -User [kiosk.username] -ReportType Html -Path c:\GPresult\20210426.html -Verbose

I am intentionally blocking most applications and need to continue to prevent the kiosk user from running most applications. I do want to allow the workstation to run any application for system health (anti-virus, updates, maintenance application, etc.). I do not want to disable applocker.
How do I stop the applocker from blocking the CLEANMGR.EXE application?
OR
How do I hide the message box displaying the error to the kiosk user?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,047 questions
Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,919 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,832 questions
0 comments
Accepted answer
  1. Manasi Shirke (CONVERGYS CORPORATION) 81 Reputation points
    2021-10-08T18:17:05.617+00:00

    Check for Variable path in system. As Kiosk and user domain is same.
    %SYSTEM32%\ variable is accessible from RUN ?
    If not, need to make necessary changes.

    1 person found this answer helpful.

10 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lil ily 1 Reputation point
    2022-11-25T10:28:22.393+00:00

    Hello,

    Any news from Microsoft ?

    Did you find a solution ?

    Best regards.

    0 comments
  2. MrMJFisher 46 Reputation points
    2022-12-14T21:41:41.557+00:00

    @Lil ily ; in short no.

    The most improvement was ensuring that the Windows Imaging and Configuration Designer matched the Windows release version (aka 21H1 or 1809, etc.).
    Through the steps taken here we greatly reduced the events appearing. The staff also got familiar with the issue and would just close the alert. Since then, the responsibility of the Kiosk has changed hands, we have moved to using Intune (vs the Designer), moved to Excel online (vs the Office application), and moved to a more "read-only" approach for these Kiosk machines.

    0 comments