none
Software Restriction Policy Client issues

    Question

  • Hi,

    We have implemented Software Restriction policy in disallowed mode and configured several softwares in exceptions. Everything works fine however suddenly some of the users face issue that all executable in those PC's stop working including default Windows files like cmd, gpupdate, rsop etc. After rebooting the PC everything starts working normally.

    We have checked the logs but no clue. I have also enabled logging for SPR but in the log File I am not able to understand any thing properly.

    When any of the exe is getting blocked it shows GUID {11015445-d282-4f86-96a2-9e485f593302}

    and when any exe is getting passed the GUID is showing {191cd7fa-f240-4a17-8986-94d480a6c8ca}

    These GUID's are not related to any of the GPO's in Domain. The sample entry in the log file is as follows

    ============================================================================

    explorer.exe (PID = 3944) identified C:\Program Files\Microsoft Office\Office15\EXCEL.EXE as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

    SearchIndexer.exe (PID = 5700) identified C:\Windows\system32\SearchFilterHost.exe as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}

    ==============================================================================

    Wednesday, November 16, 2016 12:30 PM

All replies

  • Hi,
    The GUID in your thread is not indeed for GPO, it is the ID for rules in the Software Restriction policy. Each log entry includes the caller of the software restriction policy and the process ID (PID) of the calling process, the target being evaluated, the type of software restriction policy rule that was hit, and an identifier for the rule. Please see details from:
    Application Lockdown with Software Restriction Policies
    https://technet.microsoft.com/en-us/library/2008.06.srp.aspx
    For troubleshooting, please check:
    1 How many user are affected the same issue?
    2 Is any change taken on the problematic clients? Such as patching.
    3. What system for machine are the user using?
    In this case, I would suggest you have a try AppLocker policy to see if the same problem happens again, you could follow the article as below to test it:
    How to configure AppLocker Group Policy to prevent software from running
    https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, November 17, 2016 2:29 AM
    Moderator
  • Hi,

    I have checked the log file of the same system which was having issue of all exe's getting blocked and everything works fine after reboot.

    Everything is fine except the GUID which I have mentioned above. how to understand the the meaning of GUID's and is there a way to understand the reason of blocking.

    AppLocker policies cannot be enforced on Windows 7 professional and most of endpoints in our organisation are Windows 7

    Friday, November 18, 2016 10:08 AM
  • Hi,
    Please share us the detail configuration of the policy and which type of the restriction rule are you using: Certificate rules, Hash rules, Path rules? And have you tried to set up the policy with another rules and see if the same error appears?
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, November 21, 2016 2:19 AM
    Moderator
  • Hi,

    The default computer based rule is disallowed and exceptions are created based on mix of all the rules like hash, path and certificate

    We have created policy several times and restored settings from backup but no use. The issue happens suddenly in one or two PC's and goes away after reboot.

    How to troubleshoot and what all to be checked at client end.

    Monday, November 21, 2016 6:25 AM
  • Hi,
    If the issue is only happening the specific one/two clients, I would suggest that you could move the problematic computer accounts from the OU which the GPO is linked, run gpupdate /force command and re-add them back in to see if the error still appears.
    Alternatively, have you tried to scan the problematic clients system for virus?
    Even, for me, I would re-join them into domain to see if it works.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 30, 2016 9:59 AM
    Moderator