• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2380
  • Last Modified:

Remote Desktop Services - RemoteApp - no connect with this group policy enabled?

We're playing with the RemoteApp for the 1st fine.  For years we've only used the standard Remote Desktop connection PC application.   Aok.

With Group Policy Enabled "Use Only Allowed Windows Applications", and a real simple example using Calc.exe.    RemoteAPP fails to connect and run Calc.exe.   Just sort of hangs there and then dies.   Nothing in Event Logs.   Works aok as soon as we disable the policy.  We tried both access via the .msi created icon  and the Web RDWeb page.  

The group policy is in User Configuration | Administrative Templates | System.  Been working as expected for us for a long time, just not with the new RemoteApp.

After searching google,  we tried adding more allowed applications to the allowed list such as rdpshell.exe, rdpinit.exe, rdpclip.exe, and about 25 others windows o/s related apps.  We also looked at C:> Query Process *  when successfully connected w/ policy disabled and made sure we had the few exe's shown also in our policy's allowed list.

Question:  What do we need to add to "Use Only Allowed Windows Applications"?   Does anybody have RemoteApp working with policy "Use Only Allowed Windows Applications"?  

Yes client PC is running RDC 6.0.6001 protocol 6.1 supported.

Any comments appreciated.
0
JReam
Asked:
JReam
  • 5
  • 4
  • 3
  • +1
4 Solutions
 
Jayanta SarmahCommented:
Just a though, if the below helps you find out the file needed:

Enable "Failure attempts" on the Audit Policy "Audit process tracking"
and "Audit object access", and then check the event log after trying
to start calc.exe
0
 
David Johnson, CD, MVPOwnerCommented:
Did you remember to allow remote desktop connection? %windir%\system32\mstsc.exe
0
 
McKnifeCommented:
Hi.

Please clear this up: where is "Run only allowed Windows applications" in effect? at the server or client side? Also: how did you publish the remoteApp? Did you distribute an msi or? Because after activating remoteApp at the server site, we can no longer connect to the server via rdp and start shells other than explorer or published remote apps (I am talking about this: mstsc.exe - options - programs - "start the following program on connection"). So if you use that way to start calculator, it will fail, unless you first published calc.exe as remoteApp.
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
JReamAuthor Commented:
From original question poster.  Thank you all for your replies.  Let's keep the dialog going.

To ve3ofa:  mstsc.exe is the client-side Remote desktop connection application which gets the connection started in the first place.  I don't see how that app would be of concern on server side for apps allowed since the mstsc.exe on the serverr itself is not needed.

To sarmahjay:  Interesting and we're going to try that later today.

To McKnife:  The policy is a Domain-level policy.   Our remote users are in a Users Group that we set up and are in the policy's delegation.  Pretty staight forward.   We distributed both an MSI and set up the standard web interface RDWeb,  both ways connect and launch calc.exe perfectly fine with RemoteApp but only when the Policy is disabled.   We're not messing with mstsc command line options, er unless the auto created calc.rdp is.... here's the .rdp file:

redirectclipboard:i:1
redirectposdevices:i:0
redirectprinters:i:1
redirectcomports:i:1
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
authentication level:i:2
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:0
gatewaycredentialssource:i:0
full address:s:tech.esensory.com
alternate shell:s:||calc
remoteapplicationprogram:s:||calc
gatewayhostname:s:
remoteapplicationname:s:Calculator
remoteapplicationcmdline:s:

Open in new window

0
 
McKnifeCommented:
So calc.exe is on the list of allowed programs?
You might think about the sense of using this policy at all. The protective effect is next to nothing, see the description of the policy.
0
 
JReamAuthor Commented:
McKnife:  Yes calc.exe is on the list of allowed program.   We put it in there for this testing.  

Mcknife:  We thought about dumping the policy as you suggested.   I'm generally a security fan of blacklisting everything then whitelisting stuff as needed.    This strategy of using this Policy enabled has been worked fine for years with Terminal server and still works with new 2008 RDS, just now the new RemoteApp.     I'd hate to dump it for the RemoteApp, especially when RemoteApp should really be able to coexist with the policy.  

McKnife:  And worth mentioning here, we did try turning off the policy for a while and immediated noticed that upon remote user login all sorts of MS crappy apps launch automatically on startup, such as the infamous Narrator.exe Magnifier.exe Ease of access, , all of which amazingly is not easy to turn off , another can or worms for us to ms troubleshoot, I like the tight policy enabled approach better.
0
 
JReamAuthor Commented:
To sarmahjay:    We tried the Audit failure suggestion.  Yes we saw many more entries in the event logs for Process Creation and Process Termination.     We added EVERY process we saw in there by file name to  the policy's allowed list.  Made no difference.    RemoteApp connects, hangs, and after 30 seconds or so closes the RD window.

I'd be cursious if anyone anywhere is actually using RemoteApp with the Group Policy Enabled "Use Only Allowed Windows Applications".   Maybe it's just flawed at the core.

Here's my current expanded list of "Allowed" applications, most if these entries are new in this policy's list while trying to attempt to get RemoteApp working.  Previously we only needed to put in the obvious app names such as excel.exe and winword.exe.


excel.exe
explorer.exe
iexplorer.exe
ois.exe
winword.exe

and added all of these:
rdpshell.exe
rdpclip.exe
rdpinit.exe
userinit.exe
cmd.exe
gpupdate.exe
conhost.exe
consent.exe
acregl.exe
dwm.exe
atbroker.exe
gpscript.exe
TSTheme.exe
taskhost.exe
Dllhost.exe

I even tried stuff like *.* and *.exe. Also tried a few dozen other file names in there not worth listing here.
0
 
McKnifeCommented:
OK, here's what you should do: dump that policy and use software restriction policies instead - those are more secure, even. Maybe the problem is solved, too.
0
 
David Johnson, CD, MVPOwnerCommented:
I don't think you are clear on what you want to accomplish.

Here is a description of remote App
Here are instructions on how to install it.  After following these instructions, adding a few programs, I first used Internet Explorer to browse to the rdweb website and installed the certificate into my trusted root (it was an self-signed Certificate)

I was then able to do the items shown on this video

No playing around with restricting programs on the client..
You can restrict remote desktop to only admins and only present the 'apps'
0
 
David Johnson, CD, MVPOwnerCommented:
Please clear this up: where is "Run only allowed Windows applications" in effect? at the server or client side?

Client Side -- depends upon who the gpo is applied to
Also: how did you publish the remoteApp? Did you distribute an msi or?

no went to control panel / remote app and desktop and then connected to the server after setting up a new connection.
https://servername/rdweb/feed/webfeed.aspx


Because after activating remoteApp at the server site, we can no longer connect to the server via rdp and start shells other than explorer or published remote apps (I am talking about this: mstsc.exe - options - programs - "start the following program on connection"). So if you use that way to start calculator, it will fail, unless you first published calc.exe as remoteApp.

Don't do this (unless you REALLY, REALLY need to) as it is a real pain.
0
 
McKnifeCommented:
To me it is clear what he wants to accomplish. Until now he used RD, (full session) now he would like to use RemoteApp. This fails, because somehow the policy "Run only allowed Windows applications" is interfering.

Software restriction policies offer logging. So if the same problem appears with SRPs, you will at least know what process was blocked and has to be allowed.
0
 
JReamAuthor Commented:
We never did figure this out.    RemoteApp somewhere under the hood has a bug, it is MS afrerall.  We'll wait for another chance down the road to give it a try.   In the meantime we're looking to other remote access options.
0
 
McKnifeCommented:
May I comment on the closure:
I appreciate the points, but you did not try to follow my advice. ->Use software restriction policies! They have logging, so you will see what is going on!

...that would have been better than accepting with a C grade, too ;)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now