Roaming profile users can still install an advertised program after you revoke permissions in the Software Installations GPO (835427)

SYMPTOMS

After you modify the Software Installation settings in a Group Policy object (GPO) to revoke users' permissions for an advertised program that you plan to retire, users who have roaming profiles may still be able to install the program. When a roaming profile user logs on to a computer other than the computer that you used when you revoked permissions, the icon for the program appears on the Start menu. If that user clicks the icon for the program, Microsoft Windows Installer installs the program. Or, if that user double-clicks a document that is associated with the program, Windows Installer installs the program.

CAUSE

This problem occurs because Group Policy has to access the program's application advertisement script (.aas) file to remove the icon on the Start menu and to remove the file associations. The .aas file is hosted in the system volume folder (Sysvol). However, because the users' permissions for the package have been removed, Group Policy cannot remove the icon from the Start menu, and it cannot remove the file associations. If the package is still accessible from the deployment location, roaming users can install the program because the Windows Installer package information is present in the users' profile.

RESOLUTION

To resolve this problem, use one of the following methods instead of revoking users' permissions for the program:

Remove the program from the GPO.
Remove the policy from the organizational unit (OU) if this is the only setting in the policy.
If you plan to upgrade the program, define a new package that upgrades the existing program. You can filter the GPO that contains the new program to control which users have access.
Instead of filtering by using security on the package, filter the GPO.