The application-specific permission settings do not grant Local Activation permission

Question

A colleague of mine suggested that I could fix this error in the GPO. It is a windows 2016 server.

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Answer 1

I’m not sure if this issue affects the functionality of your app, and as the documentation says, you don't need to fix this issue if it has no effect on function.

These events can be safely ignored because they do not adversely affect functionality and are by design. This is the recommend action for these events.

If it has effect on your application, you can follow these steps to fix it:

1. Open the registry editor as an administrator and nagvigate to HKEY_CLASSES_ROOT\CLSID{D63B10C5-BB46-4990-A94F-E40B9D520160}. If you are in the right location, you also see the APPID as a value. Remember the application name, you can see in the Data column, the corresponding Name column shows (Default).
2. Right click the {D63B10C5-BB46-4990-A94F-E40B9D520160} and click Permissions, then choose Advanced.
3. In the advance security setting window, click Change and type your administrator account. Then click OK.
4. In the "Permissions for..." windows, select the Administrators and activate the Full Permissions checkbox.
5. Repeat step 1 to 4 to add permissions for APPID{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}.
6. Open Component Services as administrator. Navigate to Component Services-Computers-My Computer-DCOM Config. Find the application by application name remembered in step 1 and right click the Properties.
7. Go to the Secutiry tab, choose the appropriate action. You can choose Launch and Activation Permissions, set to Customize, and Edit.
8. Click the name that applies to you and click the appropriate permission.

Answer 2

If permissions can't be changed, you may need to take ownership first.

See also https://www.kapilarya.com/fix-event-10016-error-the-application-specific-permission-settings-do-not-grant-local-activation-permission-in-windows-10

Answer 3

In my case, this error had nothing to do with the permissions. If you have the "Microsoft Vulnerable Driver Blocklist" enabled in Device Security -> Core Isolation, you also have to provide the CI Policies for it.

Microsoft (as always) enables things by default but fails to provide users with how to properly implement these. And because of that, they'd rather suggest to ignore these errors/warnings in the Event Viewer rather than address them.

To fix this:

1. Download and extract the VulnerableDriver Blocklist from here: https://aka.ms/VulnerableDriverBlockList
2. Rename either the Audit or Enforced files from the VulnerableDriverBlockList folder to "SiPolicy". (Suggest the Audit file)
3. Copy the file to %windir%\system32\CodeIntegrity
4. Check your PC's architecture by running in CMD: echo %processor_architecture%
5. Download the Refresh Policy tool for your PC'S architecture from here: https://aka.ms/refreshpolicy
6. Run the RefreshPolicy software.
7. Restart.