ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Agent installation errors relating to local group policy (LGPO) corruption

book

Article ID: 208888

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

When you attempt to install, uninstall or upgrade a DLP Agent prior to version 15.7 it may fail with errors similar to the following observed in the installAgent.log, uninstallAgent.log or upgradeAgent.log file:

Chrome Examples

v15.1

MSI (s) (C4:20) [13:04:04:158]: Invoking remote custom action. DLL: C:\windows\Installer\MSIA342.tmp, Entrypoint: UnInstallChromeDependencies
Action start 13:04:04: UnInstallChromeDependencies.
2021-02-16 13:04:04 | InstallChromeDependencies | INFO | DoesKeyExist: Specified key not found
RemoveChromeExtension: Error getting enum value for registry key while adding into GPO, 234
InstallChromeLGPO: Error setting/deletig value for registry key while modifying GPO, 234
CustomAction UnInstallChromeDependencies returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 13:04:04: UnInstallChromeDependencies. Return value 3.
Action ended 13:04:04: INSTALL. Return value 3.

v15.5

MSI (s) (C4:20) [12:59:27:158]: Invoking remote custom action. DLL: C:\windows\Installer\MSIA342.tmp, Entrypoint: UnInstallChromeDependencies
Action start 12:59:27: UnInstallChromeDependencies.
2021-04-07 12:59:27 | InstallChromeDependencies | INFO | DoesKeyExist: Specified key not found
InstallChromeLGPO: Error opening local GPO, -2147467259
CustomAction UnInstallChromeDependencies returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 12:59:27: UnInstallChromeDependencies. Return value 3.
Action ended 12:59:27: INSTALL. Return value 3.
CustomAction  returned actual error code 1603

Office Example

FINEST  | plginst | RemoveEntriesFromCrashedAddinsList::CrashedAddins:- Get values of the keyS-1-5-18\SOFTWARE\Microsoft\Office\16\PowerPoint\Resiliency\CrashingAddinList
FINEST | plginst | InstallLGPO: Error opening local GPO, -2147467259
 

Cause

Any issue with the text "error opening local GPO" may occur when there is LGPO subsystem corruption present on the system - See Detecting Local Group Policy corruption

In the particular case of a browser extension, such as Chrome, a less common issue that has been observed is when Chrome extensions are enforced using the chrome.adm administrative template provided by Google as shown below:

Using this template creates the following entry in the Registry.pol file located at c:\windows\system32\grouppolicy\machine\. Observe the **delvals. instruction underlined in the screenshot below. This GPO instruction causes all values to be deleted in the key which interferes with our API call to RegEnumValue on HKLM\Software\Policies\Google\Chrome\ExtensionInstallForceList.

Below is the typical structure of Registry.pol after installing our agent which uses the Microsoft RegSetValueEx API call to add the DLP extension into the local group policy:

 
 
 
 
 

Environment

DLP 15.x

Resolution

DLP Agent 15.7 and higher are able to continue past local GPO errors during plugin/extension installation and uninstallation. This is especially important for the installation case where we want to get around the environmental issue and let the agent provide as many of its Endpoint protection features as possible. Agents that are unable to deploy extensions due to LGPO corruption will present an alert in the Enforce console that clearly indicates any plugin/extension that is not deployed as expected so that the customer can resolve any environmental issue. See Detecting Local Group Policy corruption

You might encounter a situation where the agent doesn't complete installation when upgrading an existing agent that is prior to version 15.7, since during the upgrade the cached MSI for the current version (with the previous code design which exits when the agent is unable to enumerate the ExtensionInstallForceList key) is used to perform the uninstall portion.

Pre 15.7 Workarounds

Option 1

Temporarily set the Chrome policy "Configure the list of force-installed apps and extensions" to "Not configured" during the uninstallation or upgrade process. It can be re-enabled after upgrading to a post 15.7 agent.

Option 2

If you are already on a 15.5 MP2 agent, prior to HF22, you can use the following as a workaround to upgrade the agent to 15.7 or higher:

  1. Use the patch method to get the 15.5 MP2 agent to HF22 using the patch steps from this KB: DLP Agent installation general overview
  2. Upgrade to the final desired agent version, e.g. 15.7, 15.8, etc.
 
 
 
 
 

Additional Information

See also: DLP Agent Chrome and Edge browser extension management

See also: Detecting Local Group Policy corruption

See also: DLP Agent installation general overview

See also: New or Changed GPO List Processing

Attachments