DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 976922 - Last Review: October 11, 2010 - Revision: 2.0

On This Page

SYMPTOMS

You start the Group Policy Management Console (GPMC) on a computer that is running Windows Vista, Windows Server 2008, or later versions of the Windows operating system. You use the Group Policy Management Editor window to edit Group Policy settings. In this scenario, the  Run only allowed Windows applications Group Policy setting displays no entries. However, the entries for this setting are displayed if you edit Group Policy settings on a server that is running Windows Server 2003 or on a computer that is running Windows XP.

Regardless of the operating system, the Group Policy settings are applied correctly.

CAUSE

This issue occurs only when the following conditions are true:
  • The network is a mixed environment of different operating systems including the following:
    • Windows Server 2008
    • Windows Server 2008 R2
    • Windows Vista (RSAT)
    • Windows 7 (RSAT)
  • The network also has at least one computer that is running one of the following operating systems:
    • Windows Server 2003
    • Windows Server 2003 R2
    • Windows XP
  • You have previously edited the Group Policy setting on a computer that is running Windows XP or Windows Server 2003.
When these conditions are true, an issue prevents the Group Policy Management Editor window from correctly displaying the Run only allowed Windows applications setting on computers that are running Windows Vista, Windows Server 2008, or Windows 7.

WORKAROUND

To work around these issues, you can use one of the following methods.

Method 1: Use AppLocker or Software Restriction policies instead of this legacy policy

Windows 7 and Windows Server 2008 R2 introduced AppLocker to:
  • Help prevent malicious software (malware) and unsupported applications from affecting computers in your environment.
  • Prevent users from installing and using unauthorized applications.
  • Implement application control policy to satisfy security policy or compliance requirements in your organization.

Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 all support Software Restriction Policies (SAFER) which also control applications similiarly to AppLocker. Both AppLocker and SAFER replace the legacy policy setting "Run only allowed Windows applications", which was originally designed for Windows 95 system policies.

For more information about AppLocker, please review:

http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx (http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx)

For more information about SAFER, please review:

http://technet.microsoft.com/en-us/library/bb457006.aspx (http://technet.microsoft.com/en-us/library/bb457006.aspx)

Method 2: Re-create the setting on Windows 7 or on Windows Server 2008

To work around this issue, you will have to re-create the Run only allowed Windows applications Group Policy setting by using the Group Policy Management Editor window on a server that is running Windows Server 2008 or on a Windows 7-based computer. After the setting has been re-created, do not edit Group Policy settings on a server that is running Windows Server 2003 or on a Windows XP-based computer.

Method 3: Edit the setting on Windows Server 2003 or on Windows XP

To work around this issue, only edit the Run only allowed Windows applications Group Policy setting on a server that is running Windows Server 2003 or on a Windows XP-based computer.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

APPLIES TO
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional x64 Edition
Keywords: 
kbgrppolicyprob kbtshoot kbexpertiseinter kbsurveynew kbprb KB976922
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support