On Windows, Local Group Policy file corruption can occur which can impede some features of the DLP Endpoint Agent, such as Chrome and Edge Chromium extension installation and tamper-proofing of these extensions. In particular, if the LGPO subsystem has corruption, this will lead to all group policy processing failing, even domain policies, so browser policies managed at the domain level will also not get written to the local Registry. Detecting this corruption helps customers recognize the root cause of these issues and turn to the proper resources, such as Microsoft support, to resolve them.
Local Group Policy corruption occurs when any of the following files' contents is damaged to the point that it can no longer be parsed:
Note: DLP agent does not update the user policy. Only the machine policy is ever updated.
A simple, manual check for registry.pol corruption can be done by running the Local Group Policy editor as an Administrator:
You can also manually open a registry.pol file in a text editor like Windows Notepad to see if the file is structured as expected. If using a tool such as Notepad++ to view the file, select all the text in the file after opening and convert it to UTF-8 (don't save it like this, this is just for ease of viewing).
To detect registry.pol corruption in an automated way, use the following steps with an Endpoint Management tool such as Symantec ITMS:
Another form of LGPO corruption that can cause failures when trying to install DLP agent extensions is when C:\Windows\System32\GroupPolicy\gpt.ini is malformed. When this happens, Windows logs the following error in the Windows System Events log, which can be queried by many Endpoint Management utilities:
Log Name: System
Date: 12/1/2020 4:35:18 PM
Event ID: 1030
Task Category: None
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
Typically a corrupt gpt.ini on a Windows client machined can simply be deleted (don't try this on a Domain Controller) and it will be recreated the next time the user launches the Local Group Policy Editor.