Search This Blog

Thursday, September 15, 2016

FIXED: Windows 10 Start button does not work after applying Applocker policies

Applocker is a realy good feature (available only in Windows Enterprise editions), but as all security features it has some gotchas.
One of them is that if you enable Applocker on Windows 10 the Start button doesn't work anymore. If you left-click it then nothing happens. You can right-click it but that's obviously not enough.

In addition to this there are following errors logged in Applocker log in Event Viewer (Applications and Services - Microsoft - Windows - Applocker)

"No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured."

To solve this you need to create a Packaged App rules in Applocker group policy. To do this follow these steps:
1. Go to Computer Configuration / Policies / Windows Settings / Security Settings / Application Control Policies / Applocker 
2. Right-Click Packaged App Rules and select Create Default Rules
3. After the policy is applied to Windows 10 workstation, Start button will work again.

P.S. If you have a Windows 2008 R2 domain controller, then you will not see "Packaged app Rules" in Group Policy Management Console. You will need to create this policy from Windows Server 2012 server with GPMC.

19 comments:

  1. Thank you so much!! I had been looking into this issue for weeks and now its resolved.. God bless you!

    ReplyDelete
  2. Nice one, IT works, thanks!

    BTW fresh 2016 standard server installation broken this way from start.

    ReplyDelete
  3. Doesnt work for win2016 - another solution ??

    ReplyDelete
    Replies
    1. I know this post is a little old, but I recently came across this blog while looking for a solution to the same problem with Windows Server 2016. After some tweaking, I was able to blend the information from this topic with that from another I found to make it work in our environment and Windows Server 2016. Hopefully this will help someone else from having to scour the Internet for a fix.

      From an admin cmd prompt run the following:
      gpresult /f /h C:\Temp\gpresult.html && C:\Temp\gpresult.html (change this to put the report where you want it)

      In the report, check the Application Control Policies section under Computer Details > Policies > Windows Settings > Security Settings. Confirm there are no existing rules being applied from a GPO. If there are any custom rules being applied from a GPO, you may be able to just add the default rules using the steps below. We aren't applying any AppLocker rules via GPO, so I used the Local Security Policy. Be sure to run gpupdate /force if you do make any changes to your GPO. And re-check the results using gpresult.

      If none, launch Local Security Policy and add the default rules to each rule by right-clicking and selecting Create Default Rules. Be sure to do this for each rule set.

      Re-run gpresult from above and confirm the default rules exists, and that they are being applied from the Local Security Policy.

      Launch Services.msc and start the Application Identity service if it's not already running. The service should start and stay running. If it does not remain running, the next step will likely fail, at least it did for me.

      With the Application Identity service running, wait a minute or two to allow it to do whatever it does with the AppLocker rules then run the following PowerShell CmdLets:

      Get-appxpackage -AllUsers *shellexperience* -PackageType bundle |% {Add-AppxPackage -Register -DisableDevelopmentMode ($_.installlocation + “\appxmetadata\appxbundlemanifest.xml”)}

      Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

      The first cmdlet doesn't appear to do anything, and running it without the piped Add-AppxPackage does not return any results, but I ran it anyway.

      The second cmdlet is the one we are interested in here. If all goes well, it should run through the list of applications in the AppxManifest.xml file without any errors. If you do receive any errors stating AppLocker bocked something, wait a minute or two and try again. I had a couple of instances where I had to wait a short while before the command would complete successfully.

      Once the command completes successfully, the Start button - and all other affected apps - should work again.

      You should be able to stop the Application Identity service and leave it as Manual (Trigger Start).

      Delete
    2. Despite of above steps, it was of no use. However, on checking the services.msc; we noticed that Tile Data Model Server was disabled. We used registry tweak to enable "Tile Data Model Server" and voila we got the START menu.

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tiledatamodelsvc]
      "Start"=dword:00000002

      Delete
  4. Yes! Thank You!!!
    I had to also generate the default rules for: "Executable Rules", "Windows Installer Rules" and "Script Rules" as well.

    This fixed my start menu for my win 10 Enterprise machine after the 1803 update.

    ReplyDelete
  5. This was so helpful. The Microsoft articles on this issue were no help, this solved my missing start menu issue in seconds. Thanks for solving and posting this.

    I had generated default Executable Rules to help me block IE from users running it, but I had not generated default Packaged App rules or the other things. I will do those now.

    ReplyDelete
  6. This method worked for me as well! Thank you!

    ReplyDelete
  7. Hi, Its a great Post. Thanks For Sharing Me a Beautiful Information.
    CASEMENT WINDOWS

    ReplyDelete
  8. Same isse face in terminal server on session hoste server .


    This post will work or not and any impact

    ReplyDelete
  9. have the same issue on RDS farm, can you elaborate on steps in :

    If none, launch Local Security Policy and add the default rules to each rule by right-clicking and selecting Create Default Rules. Be sure to do this for each rule set.

    ReplyDelete
  10. Sadly, no solutions from the article and comments helped me. After upgrading to Windows 10 1909, start menu and Windows Store apps are still blocked.

    ReplyDelete
    Replies
    1. Do you see any errors in Event log?

      Delete
    2. This is the error in AppLocker event log: "No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured".
      It is weird, because I have already created default "Packaged app Rules", it must allow all signed apps for Everyone.

      Delete
    3. It is working now. I've forcefully applied Group Policy (gpupdate /force) and it is fixed. Thank you.

      Delete
    4. Great! Glad to hear that :)

      Delete