Check for Variable path in system. As Kiosk and user domain is same.
%SYSTEM32%\ variable is accessible from RUN ?
If not, need to make necessary changes.
Multi-app Kiosk's Allowed desktop App Triggering Restrictions Error Message Box
On our multi-app kiosk, the message box titled "Restrictions" with the following message appears each time the system attempts to start "%SYSTEM32%\CLEANMGR.EXE"; which is an allowed app.
"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."
Following the documentation, I have reviewed the following event logs:
- Application
- Security
- System
- Microsoft-Windows-AppLocker/Packaged app-Execution
- Microsoft-Windows-AppLocker/Packaged app-Deployment
- Microsoft-Windows-AppLocker/MSI and Script
- Microsoft-Windows-AppLocker/EXE and DLL
- Microsoft-Windows-AssignedAccess/Operational
- Microsoft-Windows-AssignedAccess/Admin
Error ID 8004 is listed in the "EXE and DLL" log at 4/26/2021 4:13:25 PM by provider Microsoft-Windows-AppLocker with the following message:
%SYSTEM32%\CLEANMGR.EXE was prevented from running.
I have a Windows 10 1903 (18362.1256 build) Dell OptiPlex 7050 setup as a multi-app kiosk. I have allowed multiple applications using the "AllowedApps" list in the xml file of the assigned access configuration XML file. Here is a redacted copy of the assigned access configuration XML file. I've used both the App User Model ID (AUMID) and the full path of the executable. I've verified the xml using the XSD. I added the configuration XML to the Windows Configuration Designer project. From the Windows Configuration Designer I exported the provisioning package, copied to the kiosk, installed the provisioning package, and rebooted. I ran the following as administrator to confirm there were no errors:
Get-ProvisioningPackage -AllInstalledPackages -Verbose
...some output omitted...
Rank : 11
Altitude : 5011
Version : 3.14
OwnerType : ITAdmin
Notes :
LastInstallTime : 4/22/2021 4:12:04 PM
Result : 0__AssignedAccess_MultiAppAssignedAccessSettings.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
1__Policies_Start_HideLock.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
2__Policies_Start_HideShutDown.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
3__Policies_Start_HideSleep.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
4__SMISettings_AutoLogon.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
5__SMISettings_BrandingNeutral.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
6__SMISettings_NoLockScreen.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
When booting the system signs in as the Active Directory user account, and the desired Excel workbook opens. I can further review the settings that the provisioning package created by looking at the registry and Group Polices. In the user's registry hive at "...\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", I can see that the "RestrictRun" DWORD is set to 1. The associated subkey of "RestrictRun" lists the various applications, each in their own string value, including the "CLEANMGR.EXE". Running the following as administrator to get a Group Policy result I can see the "CLEANMGR.EXE" is listed under User > Settings > Policies > Administrative Templates > System > Run only specified Windows applications.
Get-GPResultantSetOfPolicy -Computer [comptuername] -User [kiosk.username] -ReportType Html -Path c:\GPresult\20210426.html -Verbose
I am intentionally blocking most applications and need to continue to prevent the kiosk user from running most applications. I do want to allow the workstation to run any application for system health (anti-virus, updates, maintenance application, etc.). I do not want to disable applocker.
How do I stop the applocker from blocking the CLEANMGR.EXE application?
OR
How do I hide the message box displaying the error to the kiosk user?
-
Manasi Shirke (CONVERGYS CORPORATION) 81 Reputation points
2021-10-08T18:17:05.617+00:00
10 additional answers
Sort by: Most helpful
-
Lil ily 1 Reputation point
2022-11-25T10:28:22.393+00:00 Hello,
Any news from Microsoft ?
Did you find a solution ?
Best regards.
-
MrMJFisher 46 Reputation points
2022-12-14T21:41:41.557+00:00 @Lil ily ; in short no.
The most improvement was ensuring that the Windows Imaging and Configuration Designer matched the Windows release version (aka 21H1 or 1809, etc.).
Through the steps taken here we greatly reduced the events appearing. The staff also got familiar with the issue and would just close the alert. Since then, the responsibility of the Kiosk has changed hands, we have moved to using Intune (vs the Designer), moved to Excel online (vs the Office application), and moved to a more "read-only" approach for these Kiosk machines.