Detecting Local Group Policy corruption

book

Article ID: 204271

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

On Windows, Local Group Policy file corruption can occur which can impede some features of the DLP Endpoint Agent, such as Chrome and Edge Chromium extension installation and tamper-proofing of these extensions. In particular, if the LGPO subsystem has corruption, this will lead to all group policy processing failing, even domain policies, so browser policies managed at the domain level will also not get written to the local Registry. Detecting this corruption helps customers recognize the root cause of these issues and turn to the proper resources, such as Microsoft support, to resolve them.

Local Group Policy corruption occurs when any of the following files' contents is damaged to the point that it can no longer be parsed:

  • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
  • C:\Windows\System32\GroupPolicy\User\Registry.pol
  • C:\Windows\System32\GroupPolicy\gpt.ini

Note: DLP agent does not update the user policy. Only the machine policy is ever updated.

Resolution

A simple, manual check for registry.pol corruption can be done by running the Local Group Policy editor as an Administrator:

  1. Launch gpedit.msc (or gpedit.exe)
  2. If any registry.pol file is corrupted, you will see the following error dialog:

You can also manually open a registry.pol file in a text editor like Windows Notepad to see if the file is structured as expected. If using a tool such as Notepad++ to view the file, select all the text in the file after opening and convert it to UTF-8 (don't save it like this, this is just for ease of viewing).

To detect registry.pol corruption in an automated way, use the following steps with an Endpoint Management tool such as Symantec ITMS:

  1. Download the lgpo.exe tool from the Microsoft Security Compliance Toolkit and run it as a task against an endpoint with the command shown below:
    LGPO.exe /parse /m %windir%\system32\grouppolicy\machine\registry.pol > registry.txt 2>&1
  2. Parse the registry.txt (or alternatively the standard output and standard error streams) for the following:
    1. Corruption Case
      Invalid file format
    2. No Corruption
      PARSING COMPLETED

Another form of LGPO corruption that can cause failures when trying to install DLP agent extensions is when C:\Windows\System32\GroupPolicy\gpt.ini is malformed. When this happens, Windows logs the following error in the Windows System Events log, which can be queried by many Endpoint Management utilities:

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          12/1/2020 4:35:18 PM
Event ID:      1030
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      win10
Description:
The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.

Typically a corrupt gpt.ini on a Windows client machined can simply be deleted (don't try this on a Domain Controller) and it will be recreated the next time the user launches the Local Group Policy Editor.

Additional Information

See also: DLP Agent Chrome and Edge browser extension management

Attachments