Blog: applocker

We have a customer that I'm working with to rebuild their RDS farm from 2008R2 servers to 2016. Once I finished the initial deployment, I began testing the builds and realized pretty quickly that I couldn't open the start menu or use even use the search feature in the taskbar no matter what I tried.

I was using the same group policies that were currently applied on their existing farm thinking it should transition pretty smoothly, but that turned out not to be the case. I was eventually able to narrow it down to a single policy, but I also made the mistake of using Group Policy Management from their current 2008R2 management server, which I discovered later on complicated the troubleshooting since the setting causing the issue isn't visible from the 2008R2 console.

It ultimately turned out to be due to Applocker's Packaged App Rules. Since this had never been configured previously, there was no default rule to allow signed packaged apps that had been introduced in Server 2012 and later, and is what was ultimately breaking the Start button/Search feature.


 

Recently, I built a brand new Server 2016 system for one of our customer domains. This was the first Server 2016 server in this domain, but not the first one I had built – the procedures should have been fairly straightforward and similar to other build-outs in the past.

After the initial install, I went to the Settings app and tried to install the available Windows Updates. However every time that I tried to open Settings, I got this message saying the app had been blocked:

Strangely enough, I was the system administrator the message kindly passed the blame onto, and I don’t remember blocking the Settings app – especially on the first 2016 server in this network. As is typically the case in a lot of these random “issues” there was a Microsoft KB to the rescue explaining what was going on. https://support.microsoft.com/en-us/help/2750770/this-app-has-been-blocked-by-your-system-administrator-error-when-you 

This issue occurs when an administrator has deployed an application control policy (AppLocker) on the computer. By design, all Microsoft Store apps are blocked if an AppLocker policy is applied. Well, we do have AppLocker in use on this domain due to restricting access to applications for licensing purposes. Unfortunately, in order for me to even attempt to “unblock” the Settings app (which apparently qualifies as a Microsoft Store app), I needed to install the GPO tools on my new server. From there, I could set up the exception appropriately and get into Settings to install patches.

After the first reboot, I wanted to go into the users and groups and configure the access to allow the various groups of individuals to log in and do stuff. Clicking on the start menu does nothing. Hitting the windows key does nothing. Right click on the start menu works. Keyboard shortcuts (Win+R) works. Apparently the start menu qualifies as a Microsoft Store app as well. I loosened the restriction on this GPO and was able to get in and complete my setup.