none
Software Restrictions Policy - Win 10 - Disallowed wont let any apps run, at all.

    Question

  • Hello,

    Trying to implement a test policy right now. What i have done:

    Created a central store, applied win 10 1607 templates. Working.

    Created new OU, test user and PC in this OU to test, so no other policies. Using a computer policy for this, not user.

    Set SRP default policy to disallowed, set allow local admins bypass.

    I have set for example, the following path rules to unrestricted:

       c:\program files (x86)\adobe\acrobat reader DC\Reader\

       c:\program files\lenovo\lenovo solution center\

    Nothing can run, the shortcuts on the desktop all report software is blocked.

    What am i missing here?  I ran RSoP and the policy is coming and i can make changes to it and see the changes on each pass so i know policy is flowing down ok, but for some reason it just wont allow anything to run no matter what i put in the list!

    Wednesday, December 07, 2016 7:20 PM

Answers

  • Actually it looks like SRP isn't supported pasty windows vista i am seeing perhaps thats why this isn't working.
    • Marked as answer by ScratchDuffer Thursday, December 08, 2016 4:34 PM
    Thursday, December 08, 2016 4:22 PM

All replies

  • Hi,

    I did some research regarding the issue, one solution is creating a hash rule for the particular program that was getting blocked in the same path as the restricted path rule. You could try it and report back.

    Path Rule: This blocks programs based on the path the software is being executed from.  So creating the path rule keeps that software from running from a certain place on the hard drive.  A user can move the program out of that path and it WILL work and execute.

    Hash Rule:  A hash rule is much better at completely blocking a program as it is created based on a hash algorithm which is calculated based on the actual binary of the program.  So, no matter where the program is executed, it will be blocked.  Moving the program to another location has no effect.  The downside is that each version of the program will have a different calculated hash, so blocking one version based on a hash rule becomes ineffective once the program is changed or updated.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 08, 2016 8:42 AM
    Moderator
  • Hi Alvin

    I cant use hash rules for one of the apps as it changes from a developer without much notice.  Is this something to do with win 10?

    Thursday, December 08, 2016 3:31 PM
  • Actually it looks like SRP isn't supported pasty windows vista i am seeing perhaps thats why this isn't working.
    • Marked as answer by ScratchDuffer Thursday, December 08, 2016 4:34 PM
    Thursday, December 08, 2016 4:22 PM