none
Run Advertised Programs blocked by Software Restriction Policies

    Question

  • Hi,

          

    We has implemented Software Restriction Policies on our Windows XP SP2 build since last year ago before started using window7, but currently we are now having problems with the functioning of the SCCM Client after SCCM OSD window 7 migration.

    What the Software Restriction Policies does is prevent certain extensions from running such as EXE, COMs and VBS. They do have exclusion folders but I am not sure which folders should be excluded besides the standard Windows\System32\CCM folder for SCCM to function.

    I was wondering if there is any information about what access (Registry/File/Folder/Executable) the SCCM Client Install needs in order to run correctly.We are now unable to launch the Run Advertised Programs,Program Download Monitor and Configuration Manager due to the software restriction policy. 

    I have checked the Client Installation Logs which all report a successful install during SCCM OSD but when running the client it was blocked by the software restriction policy. I already added Software Restriction Policie Settings as below :-

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% 
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe 
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe 
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\ccm 
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\ccmsetup 
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
    C:\Windows\System32\CCM
    C:\Windows\System32\ccmsetup


    But still unable to execute the Run Advertised program,Program Download Monitor and Configuration Manager. There is no problem with SCCM client execution if i move out that testing machine from the software restriction policy OU.

    Is it any thing i still need to add into the software restriction policy in order to execute the SCCM client. 

    Any ideas would be welcome.

    Thanks and regards,

    Leong

    Software restriction policy 

    SCCM Client Blocked By Software Restriction Policy


    Leong

    Monday, July 09, 2012 6:07 AM

Answers

  • Hi,

    I found that Microsoft’s recommendation for Windows 7 should be to stop using SRP and move towards AppLocker as you can generate default rules that will take care of problems like this. This is because AppLocker’s executable rules will already include C:\Windows and C:\Program Files paths to be excluded from restriction for all users. My problem solved after i used the Apploacker rather than SRP.

    Cheers :)

    Leong


    Leong

    • Marked as answer by YS Leong Monday, August 06, 2012 12:12 AM
    Monday, August 06, 2012 12:12 AM

All replies