Multi-app Kiosk's Allowed desktop App Triggering Restrictions Error Message Box

MrMJFisher 46 Reputation points
2021-04-27T18:49:24.24+00:00

On our multi-app kiosk, the message box titled "Restrictions" with the following message appears each time the system attempts to start "%SYSTEM32%\CLEANMGR.EXE"; which is an allowed app.

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

91759-errormessage.jpg
Following the documentation, I have reviewed the following event logs:

  • Application
  • Security
  • System
  • Microsoft-Windows-AppLocker/Packaged app-Execution
  • Microsoft-Windows-AppLocker/Packaged app-Deployment
  • Microsoft-Windows-AppLocker/MSI and Script
  • Microsoft-Windows-AppLocker/EXE and DLL
  • Microsoft-Windows-AssignedAccess/Operational
  • Microsoft-Windows-AssignedAccess/Admin

Error ID 8004 is listed in the "EXE and DLL" log at 4/26/2021 4:13:25 PM by provider Microsoft-Windows-AppLocker with the following message:

%SYSTEM32%\CLEANMGR.EXE was prevented from running.

I have a Windows 10 1903 (18362.1256 build) Dell OptiPlex 7050 setup as a multi-app kiosk. I have allowed multiple applications using the "AllowedApps" list in the xml file of the assigned access configuration XML file. Here is a redacted copy of the assigned access configuration XML file. I've used both the App User Model ID (AUMID) and the full path of the executable. I've verified the xml using the XSD. I added the configuration XML to the Windows Configuration Designer project. From the Windows Configuration Designer I exported the provisioning package, copied to the kiosk, installed the provisioning package, and rebooted. I ran the following as administrator to confirm there were no errors:

        Get-ProvisioningPackage -AllInstalledPackages -Verbose  
...some output omitted...  
    Rank            : 11  
    Altitude        : 5011  
    Version         : 3.14  
    OwnerType       : ITAdmin  
    Notes           :  
    LastInstallTime : 4/22/2021 4:12:04 PM  
    Result          : 0__AssignedAccess_MultiAppAssignedAccessSettings.provxml  
                            Category:UxLockdown  
                            LastResult:Success  
                            Message:Provisioning succeeded  
                            NumberOfFailures:0 (0x0)  
      
                      1__Policies_Start_HideLock.provxml  
                            Category:Policies  
                            LastResult:Success  
                            Message:Policies applied successfully.  
                            NumberOfFailures:0 (0x0)  
      
                      2__Policies_Start_HideShutDown.provxml  
                            Category:Policies  
                            LastResult:Success  
                            Message:Policies applied successfully.  
                            NumberOfFailures:0 (0x0)  
      
                      3__Policies_Start_HideSleep.provxml  
                            Category:Policies  
                            LastResult:Success  
                            Message:Policies applied successfully.  
                            NumberOfFailures:0 (0x0)  
      
                      4__SMISettings_AutoLogon.provxml  
                            Category:UxLockdown  
                            LastResult:Success  
                            Message:Provisioning succeeded  
                            NumberOfFailures:0 (0x0)  
      
                      5__SMISettings_BrandingNeutral.provxml  
                            Category:UxLockdown  
                            LastResult:Success  
                            Message:Provisioning succeeded  
                            NumberOfFailures:0 (0x0)  
      
                      6__SMISettings_NoLockScreen.provxml  
                            Category:UxLockdown  
                            LastResult:Success  
                            Message:Provisioning succeeded  
                            NumberOfFailures:0 (0x0)  

When booting the system signs in as the Active Directory user account, and the desired Excel workbook opens. I can further review the settings that the provisioning package created by looking at the registry and Group Polices. In the user's registry hive at "...\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", I can see that the "RestrictRun" DWORD is set to 1. The associated subkey of "RestrictRun" lists the various applications, each in their own string value, including the "CLEANMGR.EXE". Running the following as administrator to get a Group Policy result I can see the "CLEANMGR.EXE" is listed under User > Settings > Policies > Administrative Templates > System > Run only specified Windows applications.

Get-GPResultantSetOfPolicy -Computer [comptuername] -User [kiosk.username] -ReportType Html -Path c:\GPresult\20210426.html -Verbose  

I am intentionally blocking most applications and need to continue to prevent the kiosk user from running most applications. I do want to allow the workstation to run any application for system health (anti-virus, updates, maintenance application, etc.). I do not want to disable applocker.
How do I stop the applocker from blocking the CLEANMGR.EXE application?
OR
How do I hide the message box displaying the error to the kiosk user?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,630 questions
Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,954 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,956 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2021-10-08T18:17:05.617+00:00

    Check for Variable path in system. As Kiosk and user domain is same.
    %SYSTEM32%\ variable is accessible from RUN ?
    If not, need to make necessary changes.

    1 person found this answer helpful.

10 additional answers

Sort by: Most helpful
  1. Teemo Tang 11,436 Reputation points
    2021-04-28T08:02:19.463+00:00

    I checked your assignedaccessconfiguration.xml, yes, cleanmgr.exe has been added into your AllowedApps.
    92018-all.jpg
    Since AppLocker prevent cleanmgr.exe from running, I suggest to manually Allow this Executable Files in AppLocker.
    Use AppLocker to Allow or Block Executable Files in Windows 10 | Tutorials (tenforums.com)
    https://www.tenforums.com/tutorials/124008-use-applocker-allow-block-executable-files-windows-10-a.html

    Besides,
    Make sure you don’t configure Don’t run specified Windows applications GPO.
    Make sure there is not a key called DisallowRun in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. MrMJFisher 46 Reputation points
    2021-04-29T16:53:28.113+00:00

    Thank you @Teemo Tang for reviewing my post and thank you for your sensible suggestion.

    I've been hesitant to create AppLocker rule to directly Allow the executable file as the first note under AllowApps in Microsoft's Set up a multi-app kiosk advices to;

    Avoid creating AppLocker rules that conflict with AppLocker rules...

    I will try your suggestion today and report the results on Monday.

    The "Don't run specified Windows applications" GPO is not set under user's GPO settings. Below is a screenshot of the Get-GPResultantSetOfPolicy which I ran this morning:
    92666-20210429-gpresult.png

    The is not a key or value of DisallowRun in [...User's Hive...]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Below is a screenshot of that key and it's values:
    92590-registry-polices-explorer.png

    0 comments No comments

  3. MrMJFisher 46 Reputation points
    2021-05-04T22:47:10.727+00:00

    New error events continue to appear, but the user has not reported the message box appearing. Also, I now see a second event stating the exe was allowed to run.

       ProviderName: Microsoft-Windows-AppLocker
    
    TimeCreated                      Id LevelDisplayName Message
    -----------                      -- ---------------- -------
    5/3/2021 6:29:54 PM            8002 Information      %SYSTEM32%\CLEANMGR.EXE was allowed to run.
    5/3/2021 6:29:54 PM            8004 Error            %SYSTEM32%\CLEANMGR.EXE was prevented from running.
    5/3/2021 6:48:26 PM            8002 Information      %SYSTEM32%\CLEANMGR.EXE was allowed to run.
    5/3/2021 6:48:26 PM            8004 Error            %SYSTEM32%\CLEANMGR.EXE was prevented from running.
    

    Below it the output from the Get-AppLockerPolicy -Local:$true -Xml

    <?xml version="1.0" encoding="UTF-8"?>
    <AppLockerPolicy Version="1">
       <RuleCollection Type="Appx" EnforcementMode="NotConfigured">
          <FilePublisherRule Id="2cc2f8b5-7a2f-49ae-a3ec-214f61a7333d" Name="Signed by Microsoft Corporation" Description="Publisher exception for Microsoft.WebMediaExtensions" UserOrGroupSid="S-1-1-0" Action="Allow">
             <Conditions>
                <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
                   <BinaryVersionRange LowSection="*" HighSection="*" />
                </FilePublisherCondition>
             </Conditions>
          </FilePublisherRule>
       </RuleCollection>
       <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
       <RuleCollection Type="Exe" EnforcementMode="NotConfigured">
          <FilePublisherRule Id="60e4d6a5-5157-4e30-9cef-3b3d9b1a20ac" Name="Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="Allow Microsoft Publisher" UserOrGroupSid="S-1-1-0" Action="Allow">
             <Conditions>
                <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
                   <BinaryVersionRange LowSection="*" HighSection="*" />
                </FilePublisherCondition>
             </Conditions>
          </FilePublisherRule>
          <FilePathRule Id="e6138701-efda-49a3-92c4-91936de21239" Name="%SYSTEM32%\CLEANMGR.EXE" Description="CleanMgr.EXE path exception" UserOrGroupSid="S-1-1-0" Action="Allow">
             <Conditions>
                <FilePathCondition Path="%SYSTEM32%\CLEANMGR.EXE" />
             </Conditions>
          </FilePathRule>
       </RuleCollection>
       <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
       <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
    </AppLockerPolicy>
    
    0 comments No comments

  4. MrMJFisher 46 Reputation points
    2021-05-05T00:04:05.13+00:00

    The user just reported that the message box has reappeared. Time stamp on image is from today (we are PST/DST). Likely from another app being blocked, but I do see error logs after the image time stamp relating to the CLEANMGR.EXE.

    Date Taken 5/4/2021 3:47 PM

    93627-img-2259.jpg

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.