[SOLVED] Software Restriction Policy breaks Windows 10 Pro start menu

Question

Hi All,

I'm trying to set up some Windows 10 Pro devices using Group Policy Management. (My domain controller is Windows Server 2019... FWIW). My objective is to limit the function of these devices to VERY narrow use for which they're intended using "Software Restriction Policy". This issue I'm having is that the start menu becomes disabled UNLESS I grant permission to the entire "Program Files" directory.

I used this GPO without issue on some devices running Windows 8.1. However, regardless of the tweaks I've tried to my GPO, I seem to need to leave access to all "Program Files" in order for the start menu to function.

I looked into this thread:
http://social.msdn.microsoft.com/Forums/en-US/win10itprogeneral/thread/e5f38ed5-774a-46e9-b830-acfa65a3f53c/

However, changes to UAC don't seem to make any difference.

Further complicating things is that the SRP log isn't throwing any errors that are helpful. (In fact, the only app that is showing to be disallowed is Edge, but I don't believe that's involved in my issue with the start menu.)

I'm at a loss here and any ideas are appreciated.

Thanks!

Answer 1

I got it figured out.

Apparently, I needed the security level of my SRP path rule %Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% (aka C:\Windows) to be "Unrestricted".

When using this GPO with my Windows 8.1 machines, I had this rule set to "Basic User" and all was fine. Apparently this needs to be "Unresticted" with Windows 10.

NOTE: I'm not sure why I was able to get my start menu to work periodically when I fiddled with my "Program Files" rule. I suspect it had to do with having to completely disable/reenable the GPO altogether in order to get the start menu back. After which, it usually required at least 2 login/logout attempts to get things going. However, that part is just a guess.