When Group Policy "Run only allowed Windows applications" is in force, cannot launch Windows bundles unless the executable is "allowed"

  • 7009039
  • 25-Jul-2011
  • 27-Apr-2012

Environment


Novell ZENworks 10 Configuration Management Bundles
Novell ZENworks 11 Configuration Management Bundles

Situation

  • Windows Group Policy setting "Run only allowed Windows applications" is in force
  • Bundles that launch executables fail, unless the executable is included in the "whitelist" ("List of allowed applications")
  • Bundles that launch URLs fail

Resolution

This is fixed in version 11.1 - see KB 7008746 "ZENworks Configuration Management 11.1 - update information and list of fixes" which can be found at https://www.novell.com/support

Workaround: if it is not possible to upgrade to ZCM 11.1 at this time, in the interim, Novell has made a Patch available for testing, in the form of a Field Test File (FTF): it can be obtained at https://download.novell.com/Download?buildid=_OBcsa8qQnM~ as "ZCM 11.0 - fix for 'Install Directory' action fails if changed - see KB 7008801; cannot launch bundles when 'Run only allowed Windows applications' is in force - see KB 7009039; MST fails in MSI install - see KB 7008948; 'Install Directory' action is slow with many files - see TID 7009047". This Patch should only be applied if the symptoms above are being experienced, and are causing problems.

This Patch has had limited testing, and should not be used in a production system without first being checked in a test environment. Some Patches have specific requirements for deployment, it is very important to follow any instructions in the readme at the download site. Please report any problems encountered when using this Patch, by using the feedback link on this TID.

Important: after applying this patch, to use bundles that launch Windows executables that are not included in the "List of allowed applications", on the "Launch Options" tab, uncheck the box for "Use the operating system shell to start the process"

In addition, if the ZENworks Application Window is used to launch bundles, then include "nalwin.exe" in the "List of allowed applications"

Additional Information

This behavior is different to ZENworks Desktop Management; in that product, any bundle can be launched from ZENworks (NAL Window or NAL Explorer) if NAL is in the "List of allowed applications"