Check for Variable path in system. As Kiosk and user domain is same.
%SYSTEM32%\ variable is accessible from RUN ?
If not, need to make necessary changes.
Multi-app Kiosk's Allowed desktop App Triggering Restrictions Error Message Box
On our multi-app kiosk, the message box titled "Restrictions" with the following message appears each time the system attempts to start "%SYSTEM32%\CLEANMGR.EXE"; which is an allowed app.
"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."
Following the documentation, I have reviewed the following event logs:
- Application
- Security
- System
- Microsoft-Windows-AppLocker/Packaged app-Execution
- Microsoft-Windows-AppLocker/Packaged app-Deployment
- Microsoft-Windows-AppLocker/MSI and Script
- Microsoft-Windows-AppLocker/EXE and DLL
- Microsoft-Windows-AssignedAccess/Operational
- Microsoft-Windows-AssignedAccess/Admin
Error ID 8004 is listed in the "EXE and DLL" log at 4/26/2021 4:13:25 PM by provider Microsoft-Windows-AppLocker with the following message:
%SYSTEM32%\CLEANMGR.EXE was prevented from running.
I have a Windows 10 1903 (18362.1256 build) Dell OptiPlex 7050 setup as a multi-app kiosk. I have allowed multiple applications using the "AllowedApps" list in the xml file of the assigned access configuration XML file. Here is a redacted copy of the assigned access configuration XML file. I've used both the App User Model ID (AUMID) and the full path of the executable. I've verified the xml using the XSD. I added the configuration XML to the Windows Configuration Designer project. From the Windows Configuration Designer I exported the provisioning package, copied to the kiosk, installed the provisioning package, and rebooted. I ran the following as administrator to confirm there were no errors:
Get-ProvisioningPackage -AllInstalledPackages -Verbose
...some output omitted...
Rank : 11
Altitude : 5011
Version : 3.14
OwnerType : ITAdmin
Notes :
LastInstallTime : 4/22/2021 4:12:04 PM
Result : 0__AssignedAccess_MultiAppAssignedAccessSettings.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
1__Policies_Start_HideLock.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
2__Policies_Start_HideShutDown.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
3__Policies_Start_HideSleep.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
4__SMISettings_AutoLogon.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
5__SMISettings_BrandingNeutral.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
6__SMISettings_NoLockScreen.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
When booting the system signs in as the Active Directory user account, and the desired Excel workbook opens. I can further review the settings that the provisioning package created by looking at the registry and Group Polices. In the user's registry hive at "...\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", I can see that the "RestrictRun" DWORD is set to 1. The associated subkey of "RestrictRun" lists the various applications, each in their own string value, including the "CLEANMGR.EXE". Running the following as administrator to get a Group Policy result I can see the "CLEANMGR.EXE" is listed under User > Settings > Policies > Administrative Templates > System > Run only specified Windows applications.
Get-GPResultantSetOfPolicy -Computer [comptuername] -User [kiosk.username] -ReportType Html -Path c:\GPresult\20210426.html -Verbose
I am intentionally blocking most applications and need to continue to prevent the kiosk user from running most applications. I do want to allow the workstation to run any application for system health (anti-virus, updates, maintenance application, etc.). I do not want to disable applocker.
How do I stop the applocker from blocking the CLEANMGR.EXE application?
OR
How do I hide the message box displaying the error to the kiosk user?
-
Manasi Shirke (CONVERGYS CORPORATION) 81 Reputation points
2021-10-08T18:17:05.617+00:00
10 additional answers
Sort by: Most helpful
-
Teemo Tang 11,436 Reputation points
2021-04-28T08:02:19.463+00:00 I checked your assignedaccessconfiguration.xml, yes, cleanmgr.exe has been added into your AllowedApps.
Since AppLocker prevent cleanmgr.exe from running, I suggest to manually Allow this Executable Files in AppLocker.
Use AppLocker to Allow or Block Executable Files in Windows 10 | Tutorials (tenforums.com)
https://www.tenforums.com/tutorials/124008-use-applocker-allow-block-executable-files-windows-10-a.htmlBesides,
Make sure you don’t configure Don’t run specified Windows applications GPO.
Make sure there is not a key called DisallowRun in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
MrMJFisher 46 Reputation points
2021-04-29T16:53:28.113+00:00 Thank you @Teemo Tang for reviewing my post and thank you for your sensible suggestion.
I've been hesitant to create AppLocker rule to directly Allow the executable file as the first note under AllowApps in Microsoft's Set up a multi-app kiosk advices to;
Avoid creating AppLocker rules that conflict with AppLocker rules...
I will try your suggestion today and report the results on Monday.
The "Don't run specified Windows applications" GPO is not set under user's GPO settings. Below is a screenshot of the Get-GPResultantSetOfPolicy which I ran this morning:
The is not a key or value of DisallowRun in [...User's Hive...]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Below is a screenshot of that key and it's values:
-
MrMJFisher 46 Reputation points
2021-05-04T22:47:10.727+00:00 New error events continue to appear, but the user has not reported the message box appearing. Also, I now see a second event stating the exe was allowed to run.
ProviderName: Microsoft-Windows-AppLocker TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/3/2021 6:29:54 PM 8002 Information %SYSTEM32%\CLEANMGR.EXE was allowed to run. 5/3/2021 6:29:54 PM 8004 Error %SYSTEM32%\CLEANMGR.EXE was prevented from running. 5/3/2021 6:48:26 PM 8002 Information %SYSTEM32%\CLEANMGR.EXE was allowed to run. 5/3/2021 6:48:26 PM 8004 Error %SYSTEM32%\CLEANMGR.EXE was prevented from running.
Below it the output from the Get-AppLockerPolicy -Local:$true -Xml
<?xml version="1.0" encoding="UTF-8"?> <AppLockerPolicy Version="1"> <RuleCollection Type="Appx" EnforcementMode="NotConfigured"> <FilePublisherRule Id="2cc2f8b5-7a2f-49ae-a3ec-214f61a7333d" Name="Signed by Microsoft Corporation" Description="Publisher exception for Microsoft.WebMediaExtensions" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> <RuleCollection Type="Dll" EnforcementMode="NotConfigured" /> <RuleCollection Type="Exe" EnforcementMode="NotConfigured"> <FilePublisherRule Id="60e4d6a5-5157-4e30-9cef-3b3d9b1a20ac" Name="Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="Allow Microsoft Publisher" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePathRule Id="e6138701-efda-49a3-92c4-91936de21239" Name="%SYSTEM32%\CLEANMGR.EXE" Description="CleanMgr.EXE path exception" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%SYSTEM32%\CLEANMGR.EXE" /> </Conditions> </FilePathRule> </RuleCollection> <RuleCollection Type="Msi" EnforcementMode="NotConfigured" /> <RuleCollection Type="Script" EnforcementMode="NotConfigured" /> </AppLockerPolicy>
-
MrMJFisher 46 Reputation points
2021-05-05T00:04:05.13+00:00 The user just reported that the message box has reappeared. Time stamp on image is from today (we are PST/DST). Likely from another app being blocked, but I do see error logs after the image time stamp relating to the CLEANMGR.EXE.
Date Taken 5/4/2021 3:47 PM