Run Advertised Programs blocked by Software Restriction Policies
Hi, We has implemented Software Restriction Policies on our Windows XP SP2 build since last year ago before started using window7, but currently we are now having problems with the functioning of the SCCM Client after SCCM OSD window 7 migration. What the Software Restriction Policies does is prevent certain extensions from running such as EXE, COMs and VBS. They do have exclusion folders but I am not sure which folders should be excluded besides the standard Windows\System32\CCM folder for SCCM to function. I was wondering if there is any information about what access (Registry/File/Folder/Executable) the SCCM Client Install needs in order to run correctly.We are now unable to launch the Run Advertised Programs,Program Download Monitor and Configuration Manager due to the software restriction policy. I have checked the Client Installation Logs which all report a successful install during SCCM OSD but when running the client it was blocked by the software restriction policy. I already added Software Restriction Policie Settings as below :- %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\ccm %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\ccmsetup %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% C:\Windows\System32\CCM C:\Windows\System32\ccmsetup But still unable to execute the Run Advertised program,Program Download Monitor and Configuration Manager. There is no problem with SCCM client execution if i move out that testing machine from the software restriction policy OU. Is it any thing i still need to add into the software restriction policy in order to execute the SCCM client. Any ideas would be welcome. Thanks and regards, Leong Leong
July 9th, 2012 2:07am

Are you running 32 or 64 bit Windows 7? %windir%\System32\CCM\SMSRAP.CPL or %windir%\SysWOW64\CCM\SMSRAP.CPLMy Microsoft Core Infrastructure & Systems Management blog - blog.danovich.com.au
Free Windows Admin Tool Kit Click here and download it now
July 10th, 2012 9:46pm

Hi Danovich Our client is running on 32 bit Windows 7.Leong
July 10th, 2012 10:20pm

Please refer to the following similar thread: SCCM Client Install and Software Restriction Policies And please check if the solution in the following KB article helps: An advertised program does not run when a user logs on to the SMS 2003 Advanced Client computer
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2012 3:25am

Hi Sabrina, My problem are not similar with the thread that you suggest as my SCCM client again is running well in that particular test machine. The problem is just blocked by the software restriction policy during we double click the run advertised program . Leong
July 15th, 2012 9:25pm

Hi, I found that Microsofts recommendation for Windows 7 should be to stop using SRP and move towards AppLocker as you can generate default rules that will take care of problems like this. This is because AppLockers executable rules will already include C:\Windows and C:\Program Files paths to be excluded from restriction for all users. My problem solved after i used the Apploacker rather than SRP. Cheers :) Leong Leong
Free Windows Admin Tool Kit Click here and download it now
August 5th, 2012 8:12pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics