Removable Storage Access GPO setting not working

There is a badly documented requirement for the Removable Storage Access group policy settings, which causes a lot of Active Directory administrators to complaint in official and unofficial forums.

The requirement is that a service named “Portable Device Enumerator Service” must be running for the setting to be effective. This poses a problem when you want to restrict devices to user targets, because in many cases you should deploy two GPOs: one to disable removable devices for users, and one to enable the service on their computers.

To enable the Portable Device Enumerator Service, apply to the computer a GPO configured in the Computer Configuration\Policies\Windows Settings\Security Settings\System Services section as shown in the following example:

 

Windows Start menu not working due to AppLocker GPO

As I can see, this is a common issue in Windows 8 and later. The symptom is that if you click the Windows logo at the bottom left corner, which usually opens the Start menu, nothing happens. Even pressing the Windows key on the keyboard doesn’t work. However you can right click the start button and see the administrative menu.
There are many sites, blogs and forum threads that suggest using tools such as fsc.exe and Add-AppXPackage, and if these fail the final solution is to repair or reinstall the OS.
Before using such an invasive solution, consider if a GPO can be responsible for your issue (this is not the case if your PC doesn’t belong to a domain).
A GPO that enables AppLocker executable rules may be the cause. First check the AppLocker log in Event Viewer (Applications and Services Logs → Microsoft → Windows → AppLocker → Packaged App-Execution). If you find an event with ID 8026 or 8027, you are near the solution. A change of the AppLocker GPO (or a new GPO) is required. You (or your systems administrator) could filter that GPO for the affected PC, or alternatively create the default rules for the packaged apps section, and enforce them.

In the Security section of the computer configuration, expand AppLocker, right click Packaged app Rules and select Create Default Rules:

Then right click AppLocker and select Properties. Enable Packaged app Rules by selecting Configured and ensure that the Enforce rules option is selected:

For more details you can refer to these TechNet pages:

•  Create AppLocker default rules
•  Configure an AppLocker Policy for Audit Only
  (Despite the title, this page also explains how to enforce the rule, which is your goal.)

Everyone denies (ITA)

Read this post in english

Hai un problema col tuo PC. Potrebbe essere un vecchio Windows XP, magari la Home Edition. Un paio di sintomi del tuo problema potrebbero essere i seguenti:

Quando provi ad aprire un file di office, l’applicazione (Word, Excel, etc.) ti dice che potrebbe essere già aperto da “un altro utente”.

<nomefile> è utilizzato al momento da “un altro utente”. Aprire in ‘Sola lettura’ o fare clic sul pulsante ‘Notifica’ per aprire in sola lettura e ricevere un messaggio di avviso quando il file originale sarà disponibile.

Se scegli di aprire il file in sola lettura, poi, ricevi questo errore:

Errore durante l’apertura del file.
Provare le seguenti operazioni.
 Verificare le autorizzazioni del file per il documento o l’unità.
 Verificare la memoria e lo spazio su disco.
 Aprire il file con il convertitore per il ripristino di testo.

Inoltre, quando apri Outlook Express, riesci a scaricare nuovi messaggi, puoi vedere il mittente e l’oggetto, ma il testo del messaggio è vuoto.

Altre applicazioni potrebbero dare problemi, con vari tipi di messaggi di errore.

Che cosa può essere successo?

Be’, come prima cosa si può sospettare che il tuo PC sia stato infettato da qualche tipo di malware. Fai subito una scansione con il tuo antivirus, poi apri msconfig (Start, Esegui, digita msconfig), vai su “Avvio” . Disabilita qualunque programma sospetto e riavvia.

Poi apri la tua cartella %userprofile% (Start, Esegui, digita %userprofile%) e scendi in Menu Start, Programmi, Esecuzione automatica. Rimuovi tutti i file indesiderati. Se non è possibile eliminarli a causa di un “accesso negato”, prova ad usare uno strumento come  Unlocker.

Questi passaggi comunque non risolvono il tuo problema. È probabile che il tuo problema sia legato ai permessi sulla cartella temporanea.

Apri un prompt dei comandi (Start, Esegui, digita cmd). Al prompt digita: cacls %temp%

Potresti vedere che il gruppo Everyone ha un permesso negativo (deny)

Sei fortunato: hai trovato il problema. Ora esegui:
cacls %temp% /e /r everyone

Prova ad aprire i tuoi file e le tue applicazioni: potrebbero funzionare.

Se il comando indicato fallisce, puoi creare una nuova cartella nel profilo e redirigere sia %temp% sia %tmp% su di essa. Oppure, come soluzione estrema, potresti creare un nuovo utente e spostare i tuoi file personali nel nuovo profilo.

Se questo articolo ti è stato di aiuto, lascia un commento: potrebbe aiutare altre persone che sperimentano lo stesso problema.

Everyone denies

Leggi questo articolo in italiano

You have a problem with your PC. It may be an old Windows XP, possibly Home Edition. A couple of symptoms are the following:

When you try to open an office file, the application (Word, Excel, etc.) states that it is yet open by “another user”.

Error: “<filename> is locked for editing by ‘another user’. Open ‘Read-Only’ or click ‘Notify’ to open read-only and receive notification when the document is no longer in use.

If you choose to open it in read-only mode, you receive an error such as:

Word experienced an error trying to open the file.
Try these suggestions.
 Check the file permissions for the document or drive
 Make sure there is sufficient free memory and disk space
 Open the file with the Text Recovery converter

Moreover, when you open Outlook Express, you can download new messages, you can see the sender and the subject, but the message body is blank.

Other applications may fail with any kind of error message as well.

What happened?

Well, first of all I suspect you were infected by some kind of malware. Please do a full scan with your antimalware software, then open msconfig (Start, Run, type msconfig) and go to the “startup” section. Disable any suspect program, and reboot.

Also open your %userprofile% folder (Start, Run, type %userprofile%) and go to Start menu, Programs, Startup. Remove any unwanted file. If you receive an “access denied” error, try using a tool such as Unlocker.

These step don’t resolve your problem, however. It’s likely that your problem is related to your temp folder permissions.

Open a command prompt (Start, Run, type cmd). At the prompt type: cacls %temp%

You may see that the Everyone group has a deny permission.

You are lucky: you found the problem.
Just type:
cacls %temp% /e /r everyone

Now please try opening you applications and files. They should work.

If  the above command fails, you may create a new folder in your profile and redirect both %temp% and %tmp% to that folder. Or you may want to create a new user and move your personal file on the new profile.

If this post was helpful, please leave a comment: this could help other people having the same issue.