Tag Archives: GPO

Removable Storage Access GPO setting not working

PC issues, , , ,

There is a badly documented requirement for the Removable Storage Access group policy settings, which causes a lot of Active Directory administrators to complaint in official and unofficial forums.

The requirement is that a service named “Portable Device Enumerator Service” must be running for the setting to be effective. This poses a problem when you want to restrict devices to user targets, because in many cases you should deploy two GPOs: one to disable removable devices for users, and one to enable the service on their computers.

To enable the Portable Device Enumerator Service, apply to the computer a GPO configured in the Computer Configuration\Policies\Windows Settings\Security Settings\System Services section as shown in the following example:

Portable Device Enumerator Service

 

Windows Start menu not working due to AppLocker GPO

PC issues, , , , ,

As I can see, this is a common issue in Windows 8 and later. The symptom is that if you click the Windows logo at the bottom left corner, which usually opens the Start menu, nothing happens. Even pressing the Windows key on the keyboard doesn’t work. However you can right click the start button and see the administrative menu.
There are many sites, blogs and forum threads that suggest using tools such as fsc.exe and Add-AppXPackage, and if these fail the final solution is to repair or reinstall the OS.
Before using such an invasive solution, consider if a GPO can be responsible for your issue (this is not the case if your PC doesn’t belong to a domain).
A GPO that enables AppLocker executable rules may be the cause. First check the AppLocker log in Event Viewer (Applications and Services Logs → Microsoft → Windows → AppLocker → Packaged App-Execution). If you find an event with ID 8026 or 8027, you are near the solution. A change of the AppLocker GPO (or a new GPO) is required. You (or your systems administrator) could filter that GPO for the affected PC, or alternatively create the default rules for the packaged apps section, and enforce them.

In the Security section of the computer configuration, expand AppLocker, right click Packaged app Rules and select Create Default Rules:


Then right click AppLocker and select Properties. Enable Packaged app Rules by selecting Configured and ensure that the Enforce rules option is selected:

For more details you can refer to these TechNet pages: