A few things to check:
- License, I appreciate that you've said that you've got a valid license. Ensure that there are no license errors in the Event Logs and the Application Control Agent logs.
- Are other Application Control rules working e.g. is regedt32.exe blocked for users (assuming you've not disabled that feature)? Can users launch other applications you've blocked? If so then the License is probably valid as well.
- Launch "appwiz.cpl", is the correct config deploy?
-- If you're using Native configuration deployment, you would need to check manually. However you could push out a test config that blocks notepad.exe to a test endpoint and confirm that notepad.exe is being blocked. It will confirm you have the config on you expected.
- Under Global Settings -> Policy Change Requests, are the fields populated as expected?
- The user then needs to match at least one rule with the "Policy Change Requests" tab completed. Probably worth checking that the rule is Restricted. I'm not sure if this is a requirement but while testing an endpoint, ensure that Self-Auth, Audit Only or Unrestrcited isn't selected.
Failing the above, I would create a blank config and enable Policy Change Requests for the Everyone group and block a few applications such as Notepad.exe, mspaint.exe. This will help rule out it being a configuration issue.
thanks for the fast answer.
Everyhting is fine. No errors in logs, config is deployed, settings are made ...
Under "UserPrivileges" / "Applications" .. I had one folder allowed for "Bultin Elevate" + Subfolders. As I deleted this and made a new policy suddenly the icon on the desktop and the context menu appeared. After that, I made the setting again for this folder and deployed the new policy and the icon and the context are still availible. So ... for my understanding ... is it a configuration mistake from my side?
the icon is gone again. so I think the reason is the "applications" setting?!
Having a User Privileges Application rule shouldn't prevent the Policy Change Request from showing. It might have been the change in Configuration caused an Agent refresh that resulted in the Policy Change Request showing. After that the issue reoccurred when it hit a possible problem.
I suspect that this issue would need a review of the AMAgent logs. I would suggest raising a Support Desk incident.
To cut down on the number of information gathering e-mails by Support, please gather the relevant information in the following article: Raising an Application Control Support Case
I'm having the same issue. Everything looks fine from the agent perspective, just nothing shows up for the policy change request icon nor start menu context. I'm opening a case with support and will post back if we identify root cause.
The latest versions of Application Control have an updated feature for Policy Change Requests. You still set the global options as you did previously, here:
But then to enable, you must now set the options for each group rule. This allows more flexibility in whether you want users to have the email option, the immediate option, an icon on the desktop, etc. Previously, this flexibility could only be achieved by creating a completely separate policy.