Agent uninstall or upgrade fails due to error 'RemoveChromeExtension: Error getting enum value for registry key while adding into GPO'

book

Article ID: 208888

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

When you attempt to either uninstall or upgrade the DLP Agent it fails with the following errors observed in the uninstallAgent.log or upgradeAgent.log file:

v15.1

MSI (s) (C4:20) [13:04:04:158]: Invoking remote custom action. DLL: C:\windows\Installer\MSIA342.tmp, Entrypoint: UnInstallChromeDependencies
Action start 13:04:04: UnInstallChromeDependencies.
2021-02-16 13:04:04 | InstallChromeDependencies | INFO | DoesKeyExist: Specified key not found
RemoveChromeExtension: Error getting enum value for registry key while adding into GPO, 234
InstallChromeLGPO: Error setting/deletig value for registry key while modifying GPO, 234
CustomAction UnInstallChromeDependencies returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 13:04:04: UnInstallChromeDependencies. Return value 3.
Action ended 13:04:04: INSTALL. Return value 3.

v15.5

MSI (s) (C4:20) [12:59:27:158]: Invoking remote custom action. DLL: C:\windows\Installer\MSIA342.tmp, Entrypoint: UnInstallChromeDependencies
Action start 12:59:27: UnInstallChromeDependencies.
2021-04-07 12:59:27 | InstallChromeDependencies | INFO | DoesKeyExist: Specified key not found
InstallChromeLGPO: Error opening local GPO, -2147467259
CustomAction UnInstallChromeDependencies returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 12:59:27: UnInstallChromeDependencies. Return value 3.
Action ended 12:59:27: INSTALL. Return value 3.
CustomAction  returned actual error code 1603
 

Cause

This issue may occur when there is LGPO subsystem corruption present on the system - See Detecting Local Group Policy corruption

It may also occur when Chrome extensions are enforced using the chrome.adm administrative template provided by Google as shown below:

Using this template creates the following entry in the Registry.pol file located at c:\windows\system32\grouppolicy\machine\. Observe the **delvals. instruction underlined in the screenshot below. This GPO instruction causes all values to be deleted in the key which interferes with our API call to RegEnumValue on HKLM\Software\Policies\Google\Chrome\ExtensionInstallForceList.

Below is the typical structure of Registry.pol after installing our agent which uses the Microsoft RegSetValueEx API call to add the DLP extension into the local group policy:

 
 
 
 
 

Environment

DLP 15.x

Resolution

DLP Agent 15.7 and higher are able to continue past this error during the uninstall process.

You can encounter this issue when upgrading an existing agent that is prior to version 15.7, since during the upgrade the cached MSI for the current version (with the previous code design which exits when the agent is unable to enumerate the ExtensionInstallForceList key) is used to perform the uninstall portion.

Workarounds

Option 1

Temporarily set the Chrome policy "Configure the list of force-installed apps and extensions" to "Not configured" during the uninstallation or upgrade process. It can be re-enabled after upgrading to a post 15.7 agent.

Option 2

If you are already on a 15.5 MP2 agent, prior to HF22, you can use the following as a workaround to upgrade the agent to 15.7 or higher:

  1. Use the patch method to get the 15.5 MP2 agent to HF22 using the patch steps from this KB: DLP Agent installation general overview
  2. Upgrade to the final desired agent version, e.g. 15.7, 15.8, etc.
 
 
 
 
 

Additional Information

See also: DLP Agent Chrome and Edge browser extension management

See also: Detecting Local Group Policy corruption

See also: DLP Agent installation general overview

See also: New or Changed GPO List Processing

Attachments