AppLocker is breaking Windows Start Menu
The other day I was setting up a couple of Window Server 2016 XenApp VDA servers to do some more extensive tests of the different Citrix policy templates, to evaluate how the settings in these policy templates impacts the user experience.
During these tests I kept running into an issue with the Start Menu not working properly. The context menu worked is it should, but nothing happened with a regular left click on the Start button. I have run into this issue many times before, in both Windows Server 2016 and Windows 10, the main cause was always either Citrix UPM not being able to handle the Tile Data Service database, or plain old regular Windows Roaming Profile just being old and broken.
However in this case I had not configured either Citrix UPM nor Windows Roaming Profile, I had configured FSLogix Profile Container, so why was this happening? To make it even more strange I experienced the issue with an admin user with a local profile as well, so this ruled out any profile handling issues.
As you may already have guessed, AppLocker had a part to play in the issue I experienced, but what was AppLocker actually doing?
Well as it turns out, AppLocker was blocking the “Windows Shell Experience Host” and “Cortana”, and apparently both are necessary for the Start Menu to work properly.
During my troubleshooting I came across this message in the AppLocker part of Windows Event Viewer:
Not very helpful! I had Exe rules configured alright, but the “no Packaged app rules have been configured” part was a bit confusing. My AppLocker GPO was configured to enforce Packaged app rules, however no rules were configured, just like the event viewer was telling me. As it turns out Packaged Apps is another word for Universal Windows Platform (UWP) apps, these UWP apps are, among other things, handled by the before mentioned “Windows Shell Experience Host”.
As AppLocker was apparently blocking the Windows Shell Experience, this would explain why my Start Menu wasn’t working properly. The solution was actually really simple and required nothing more than creating another AppLocker rule.
Go into your AppLocker GPO and right click the Packaged app Rules and select “Create Default Rules” this should create one rule which allows all signed packaged apps to be executed.
Once this rule is created, either run a “gpupdate /target: computer /force” in a command prompt or simply reboot the server/computer.
This should bring back the Start Menu and Cortana and all your application shortcuts.