none
Software Restriction Policy and RDP

    Question

  • I am new to Software Restriction Policies and I'm sure i am just missing something.  When I run mstsc.exe with the admin flag everything works correctly.  When I run it without the admin flag I get the following error:

    The remote session was disconnected because license store creation failed with access denied.  Please run remote desktop client with elevated privileges.

    This was working correctly before we started testing Software Restriction Policies.

    This is a windows 7 32 bit machine. 

    Below is the policy in question..  Any help you can provide would be great.  Thanks in advance!

    Computer Configuration (Enabled)hide
    Policieshide
    Windows Settingshide
    Security Settingshide
    Public Key Policies/Trusted Root Certification Authoritieshide
    Propertieshide
    Policy Setting
    Allow users to select new root certification authorities (CAs) to trust Enabled
    Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

    Software Restriction Policieshide
    Enforcement
    Policy Setting
    Apply software restriction policies to the following All software files
    Apply software restriction policies to the following users All users except local administrators
    When applying software restriction policies Ignore certificate rules
     
    Designated File Types
    File Extension File Type
    ADE ADE File
    ADP ADP File
    BAS BAS File
    BAT Windows Batch File
    CHM Compiled HTML Help file
    CMD Windows Command Script
    COM MS-DOS Application
    CPL Control Panel Item
    CRT Security Certificate
    EXE Application
    HLP Help File
    HTA HTML Application
    INF Setup Information
    INS INS File
    ISP ISP File
    MDB MDB File
    MDE MDE File
    MSC Microsoft Common Console Document
    MSI Windows Installer Package
    MSP Windows Installer Patch
    MST MST File
    OCX ActiveX Control
    PCD PCD File
    PIF Shortcut to MS-DOS Program
    REG Registration Entries
    SCR Screen Saver
    SHS SHS File
    URL Internet Shortcut
    VB Visual Basic Source file
    WSC Windows Script Component
    ZIP Compressed (zipped) Folder
     
    Trusted Publishers
    Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers
    Certificate verification None
     

    Software Restriction Policies/Security Levelshide
    Policy Setting
    Default Security Level Disallowed

    Software Restriction Policies/Additional Ruleshide
    Hash Ruleshide
    mstsc.exe (6.0.6002.18005); mstsc.exe; Remote Desktop Connection; Microsoft® Windows® Operating System; Microsoft Corporation
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:38:43 PM
     

    Internet Zone Ruleshide
    Local computer
    Security Level Unrestricted
    Description This zone contains Web sites that are on your local computer.
    Date last modified 1/20/2015 10:46:33 AM
     
    Local intranet
    Security Level Unrestricted
    Description This zone contains all Web sites that are on your organization's intranet.
    Date last modified 1/20/2015 11:59:51 AM
     
    Trusted sites
    Security Level Unrestricted
    Description This zone contains Web sites that you trust not to damage your computer or data.
    Date last modified 1/20/2015 12:02:23 PM
     

    Path Ruleshide
    %localappdata%\temp\*.tmp\centricity.bat
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:08:17 PM
     
    %localappdata%\Temp\*.tmp\dentrix.bat
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:07:45 PM
     
    %localappdata%\temp\*\centricity.bat
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:08:34 PM
     
    %localappdata%\temp\*\dentrix.bat
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:08:52 PM
     
    \\hotcfs1.otc.local\Jop_dentrontdesk\*.bat
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:29:05 PM
     
    \\hotcfs1\thinapp\*\msi\adobe*.exe
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:28:09 PM
     
    c:\Program Files
    Security Level Unrestricted
    Description  
    Date last modified 12/12/2014 1:42:08 PM
     
    c:\Program Files (x86)
    Security Level Unrestricted
    Description  
    Date last modified 12/12/2014 1:40:26 PM
     
    c:\users\public\desktop\centricity.exe
    Security Level Unrestricted
    Description  
    Date last modified 12/12/2014 2:26:46 PM
     
    c:\users\public\desktop\dentrix.exe
    Security Level Unrestricted
    Description  
    Date last modified 12/12/2014 2:26:54 PM
     
    c:\windows\
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:42:05 PM
     
    c:\windows\system32
    Security Level Unrestricted
    Description  
    Date last modified 1/20/2015 12:42:17 PM
     

    Administrative Templateshide
    Policy definitions (ADMX files) retrieved from the central store.System/Group Policyhide
    Policy Setting Comment
    User Group Policy loopback processing mode Enabled  
    Mode: Merge
     

    User Configuration (Enabled)hide
    Preferenceshide
    Windows Settingshide
    Registryhide
    Registry item: LogFileNamehide
    Generalhide
    Action Update
    PropertiesHive HKEY_LOCAL_MACHINE
    Key path SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
    Value name LogFileName
    Value type REG_SZ
    Value data c:\restriction.txt

    Commonhide
    OptionsStop processing items on this extension if an error occurs on this item No
    Run in logged-on user's security context (user policy option) No
    Remove this item when it is no longer applied No
    Apply once and do not reapply No

    Tuesday, January 20, 2015 8:33 PM

Answers

  • I apologize for my delay.  It turns out that the MSLicensing Key was not there on the VM I was working with.  I added the key and subkeys manually and gave permissions to them.  This resolved the issues I was experiencing.

    Chris

    Tuesday, February 3, 2015 3:45 PM

All replies

  • Hi Chris,

    Before going further, sorry for the late response.

    Based on the description, we can temporarily un-configure the hash rule policy setting for mstsc.exe to see if the issue persists.

    Besides, we can follow the procedure described in the Let me fix in myself section in the following KB article to see if it helps. Note, when following the procedure, we need to replace the ALL APPLICATION PACKAGES with the specific users.

    Windows Store apps that use the Remote Desktop ActiveX interface do not connect to remote servers in Windows 8

    http://support2.microsoft.com/kb/2782802

    If the suggestion above helps and we have multiple clients, we can use the following policy setting to edit the registry key permissions for the users on all clients.

    Computer Configuration\Policies\Windows Settings\Security Settings\Registry

    Best regards,
    Frank Shen



    Monday, January 26, 2015 1:50 AM
    Moderator
  • I apologize for my delay.  It turns out that the MSLicensing Key was not there on the VM I was working with.  I added the key and subkeys manually and gave permissions to them.  This resolved the issues I was experiencing.

    Chris

    Tuesday, February 3, 2015 3:45 PM