I was wondering if you could help me with an issue I'm having.
A client is asking to run a Navision-based ClickOnce executable; it's a folder where there's both the files Dashboard.application and setup.exe. The environment is one out of five possible RDSH machines (Windows Server 2016) managed by DEM. I put a link to each user's Desktop using DEM > User Environment > Shortcuts.
The test user I'm running this on is a "normal" user that has access to the UNC path.
The user may now click on any of the two icons: one calls the setup.exe directly, the other one the Dashboard.application file. (setup.exe itself will call the .application file by default).
When the user clicks on the setup.exe he will see the elevation request window:
Clicking on "Ja" (= Yes) will do the same as if the user clicks on the Dashboard.application entry itself: it will shortly present the loading/installing window, then the error message.
Application is being loaded/started:
Application could not be started.
So ... either way the user is not able to execute this.
The "Details..." button will show the error message "This program is blocked by group policy. For more information, contact your system administrator. (Exception from HRESULT: 0x800704EC)".
... grrrrrrr ... I'm not aware of any policy blocking it. 😞
In a working environment (a user with administrative privileges connecting directly to the VDI RDS Host) it will install the application to a random folder under %APPDATA%\Local\Apps\2.0\, could be 53W93V15.P8C or 3O163AT3.56A or any other combination of that sort.
That's why I added an exception or better yet I added a new rule for privilege elevation to allow any .exe file being called in the %APPDATA% context:
Still it won't work. In my VDI context it won't install any folder as it aborts too early.
As you can see I was tinkering around with the privilege elevation, also I used the part in the "Application Blocking" part in DEM to specifically allow the whole UNC folder/path incl. the files but I think the problem is when it access the local computer and trying to put anything in the %APPDATA%\Local subfolder(s) it's supposed to be creating.
Is there a way without putting it in the Golden Master (re-run not yet scheduled) to get this to work? I think I tried everything that DEM has to offer in terms of allowing stuff, yet I'm unable to execute this tool as a VDI user.
Any help would be highly appreciated!
> also I used the part in the "Application Blocking" part in DEM to specifically allow the whole UNC folder/path incl. the files
If you enable application blocking, only applications from the Windows folder, C:\Program Files, and C:\Program Files (x86) are allowed to run. Have you defined additional Allow rules for the various (Local)AppData paths required for ClickOnce?
Do you see anything relevant being logged during path-based export as part of the application blocking statistics? Something like the following:
2021-02-10 14:11:39.886 [INFO ] Application blocking statistics:
2021-02-10 14:11:39.886 [INFO ] Blocked C:\Utils\Dbgview476.exe 1 time
Also, please note the difference between %APPDATA%\Local and %LOCALAPPDATA%. %APPDATA% expands to C:\Users\user\AppData\Roaming, while %LOCALAPPDATA% expands to C:\Users\user\AppData\Local.