{"id":12556,"date":"2020-01-10T00:15:00","date_gmt":"2020-01-09T23:15:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12556"},"modified":"2020-01-09T20:07:21","modified_gmt":"2020-01-09T19:07:21","slug":"windows-10-v1909-and-a-possible-gpo-issue-part-2","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/01\/10\/windows-10-v1909-and-a-possible-gpo-issue-part-2\/","title":{"rendered":"Windows 10 V1909 and a possible GPO Issue – Part 2"},"content":{"rendered":"

[German<\/a>]In Windows 10 November 2019 Update (Version 1909), there appears to be an issue with Group Policies, because they cannot be enabled reliably. I already mentioned this a few days ago. Now I have received new information from an affected blog reader. Possibly the Windows Defender, which is distributed via the ISO installation media for Windows 10 version 1909, is involved in the problems. <\/p>\n

<\/p>\n

Some background<\/h2>\n

\"\"German blog reader Markus K. informed me at the end of 2019 about a strange observation in Windows 10 November 2019 Update (Version 1909). On freshly installed Windows 10 November 2019 Update (Version 1909) test systems Group Policy settings does not work in a reliable way. <\/p>\n

Markus K. wrote in a mail to me that on computers running Windows 10 version 1909 it is simply a matter of chance whether a group policy takes effect or not. Neither the event log nor the GPSVC log are very useful, he said. I mentioned this on December 30, 2019 in the blog post Windows 10 V1909 and a possible GPO Issue<\/a>. After publishing, I got feedback from readers also observing the behavior.  <\/p>\n

New details about the problem<\/h2>\n

Within the last hours blog reader Markus K. informed me about his further findings. Tips given in comments to the previous blog post (like caching or setting policy Configure security policy processing<\/em>) seem to be useless. Markus wrote: I followed all hints given in the blog, unfortunately without result. By the way, the log looks like this:<\/p>\n

\n

GPSVC(4dc.62c) 08:47:18:084 ProcessGPOs(Machine): Processing extension Registrierung
GPSVC(4dc.62c) 08:47:18:084 ReadStatus: Read Extension's Previous status successfully.
GPSVC(4dc.62c) 08:47:18:084 ReadGPOList:++
GPSVC(4dc.62c) 08:47:18:084 CheckGPOs: ReadGPOList count = 0
GPSVC(4dc.62c) 08:47:18:085 CompareGPOLists:  One list is empty
GPSVC(4dc.62c) 08:47:18:085 GPLockPolicySection: Sid = (null), dwTimeout = 30000, dwFlags = 0x40
GPSVC(4dc.62c) 08:47:18:085 bMachine = 1
GPSVC(4dc.62c) 08:47:18:085 Global Sync Lock Called
GPSVC(4dc.62c) 08:47:18:086 Writer Lock got immediately.
GPSVC(4dc.62c) 08:47:18:086 Global Lock taken successfully
GPSVC(4dc.62c) 08:47:18:086 ProcessGPOList:++ Entering for extension Registrierung
GPSVC(4dc.62c) 08:47:18:086 MachinePolicyCallback: Setting status UI to Richtlinie \"Registrierung\" wird \u00fcbernommen…
GPSVC(4dc.62c) 08:47:18:090 LogExtSessionStatus: Successfully logged Extension Session data
GPSVC(4dc.62c) 08:47:18:091 GPLockPolicySection: Sid = (null), dwTimeout = 60000, dwFlags = 0x42
GPSVC(4dc.62c) 08:47:18:091 Registry Sync Lock Called
GPSVC(4dc.62c) 08:47:18:091 Writer Lock got immediately.
GPSVC(4dc.62c) 08:47:18:091 Registry Lock taken successfully
GPSVC(4dc.62c) 08:47:18:094 ResetPolicies: Entering.
GPSVC(4dc.62c) 08:47:18:094 SetPolicyOwnerOnKey: Setting owner on reg key on <Software\\Policies>.
GPSVC(4ec.66c) 08:58:41:299 SetPolicyOwnerOnKey: Setting owner on reg key on <Software\\Policies>.
GPSVC(4ec.66c) 08:58:41:299 SetPolicyOwnerOnKey: Setting owner on reg key on <Software\\Microsoft\\Windows\\CurrentVersion\\Policies>.
GPSVC(4ec.66c) 08:58:41:299 SetPolicyOwnerOnKey: Setting owner on reg key on <System\\CurrentControlSet\\Policies>.
GPSVC(4ec.66c) 08:58:41:300 ParseRegistryFile: Entering with <C:\\ProgramData\\ntuser.pol>.
GPSVC(4ec.66c) 08:58:41:300 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EFSBlob
GPSVC(4ec.66c) 08:58:41:301 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\Certificates\\
13A2741223481A329363D0BDCEAA9995FED85A70\\Blob
GPSVC(4ec.66c) 08:58:41:301 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\CRLs\\
\u2026.
GPSVC(4dc.62c) 08:47:18:098 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows\\System\\EnableSmartScreen
GPSVC(4dc.62c) 08:47:18:099 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows\\System\\ShellSmartScreenLevel
GPSVC(4dc.62c) 08:47:18:099 RegCleanUpKey:  Failed to delete value <DisableAntiSpyware> with 5.
GPSVC(4dc.62c) 08:47:18:099 DeleteRegistryValue: Failed to delete Software\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware
GPSVC(4dc.62c) 08:47:18:099 ParseRegistryFile: Callback function returned false.
\u2026
GPSVC(4dc.62c) 08:47:18:238 ProcessGPOs(Machine): Extension Registrierung ProcessGroupPolicy failed, status 0x80004005.<\/p>\n<\/blockquote>\n

At the end of the log there is suddenly an access error 0x80004005. Could this be a trace to the root cause?<\/p>\n

Blame the Windows Defender<\/h3>\n

In further tests Markus digged into the matter and found a possible root cause. He wrote in a follow-up mail: <\/p>\n

\n

The Windows Defender (we use it as AV solution) is to blame!<\/p>\n<\/blockquote>\n

\n

We have a GPO with security filtering with a computer group, where you can put a computer to turn off the Defender. If you install the computer with Windows Defender disabled, all GPOs will be applied! If you install the same device again with activated Defender, GPOs will fail. <\/p>\n<\/blockquote>\n

Markus joined the test system with Windows 10 version 1909 [and Defender turned off] back into the computer group and rebooted the client twice. Here is a new log extract:<\/p>\n

\n

GPSVC(4ec.66c) 08:58:41:281 ProcessGPOs(Machine): —————
GPSVC(4ec.66c) 08:58:41:281 ProcessGPOs(Machine): Processing extension Registrierung
GPSVC(4ec.66c) 08:58:41:282 ReadStatus: Read Extension's Previous status successfully.
GPSVC(4ec.66c) 08:58:41:282 ReadGPOList:++
GPSVC(4ec.66c) 08:58:41:282 CheckGPOs: ReadGPOList count = 0
GPSVC(4ec.66c) 08:58:41:282 CompareGPOLists:  One list is empty
GPSVC(4ec.66c) 08:58:41:283 GPLockPolicySection: Sid = (null), dwTimeout = 30000, dwFlags = 0x40
GPSVC(4ec.66c) 08:58:41:283 bMachine = 1
GPSVC(4ec.66c) 08:58:41:283 Global Sync Lock Called
GPSVC(4ec.66c) 08:58:41:283 Writer Lock got immediately.
GPSVC(4ec.66c) 08:58:41:283 Global Lock taken successfully
GPSVC(4ec.66c) 08:58:41:283 ProcessGPOList:++ Entering for extension Registrierung
GPSVC(4ec.66c) 08:58:41:283 MachinePolicyCallback: Setting status UI to Richtlinie \"Registrierung\" wird \u00fcbernommen…
GPSVC(4ec.66c) 08:58:41:284 GetWbemServices: CoCreateInstance succeeded
GPSVC(4ec.66c) 08:58:41:288 ConnectToNameSpace: ConnectServer returned 0x0
GPSVC(4ec.66c) 08:58:41:297 LogExtSessionStatus: Successfully logged Extension Session data
GPSVC(4ec.66c) 08:58:41:297 GPLockPolicySection: Sid = (null), dwTimeout = 60000, dwFlags = 0x42
GPSVC(4ec.66c) 08:58:41:297 Registry Sync Lock Called
GPSVC(4ec.66c) 08:58:41:297 Writer Lock got immediately.
GPSVC(4ec.66c) 08:58:41:297 Registry Lock taken successfully
GPSVC(4ec.66c) 08:58:41:299 ResetPolicies: Entering.
GPSVC(4ec.66c) 08:58:41:299 SetPolicyOwnerOnKey: Setting owner on reg key on <Software\\Policies>.
GPSVC(4ec.66c) 08:58:41:299 SetPolicyOwnerOnKey: Setting owner on reg key on <Software\\Microsoft\\Windows\\CurrentVersion\\Policies>.
GPSVC(4ec.66c) 08:58:41:299 SetPolicyOwnerOnKey: Setting owner on reg key on <System\\CurrentControlSet\\Policies>.
GPSVC(4ec.66c) 08:58:41:300 ParseRegistryFile: Entering with <C:\\ProgramData\\ntuser.pol>.
GPSVC(4ec.66c) 08:58:41:300 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EFSBlob
GPSVC(4ec.66c) 08:58:41:301 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\Certificates\\
13A2741223481A329363D0BDCEAA9995FED85A70\\Blob
GPSVC(4ec.66c) 08:58:41:301 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\CRLs\\
GPSVC(4ec.66c) 08:58:41:301 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\CTLs\\
GPSVC(4ec.66c) 08:58:41:302 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter\\EnabledV9
GPSVC(4ec.66c) 08:58:41:302 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows\\System\\EnableSmartScreen
GPSVC(4ec.66c) 08:58:41:303 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows\\System\\ShellSmartScreenLevel
GPSVC(4ec.66c) 08:58:41:308 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware
GPSVC(4ec.66c) 08:58:41:308 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\AllowFastServiceStartup
GPSVC(4ec.66c) 08:58:41:309 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\ServiceKeepAlive
GPSVC(4ec.66c) 08:58:41:309 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\RandomizeScheduleTaskTimes
GPSVC(4ec.66c) 08:58:41:310 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Exclusions_Paths
GPSVC(4ec.66c) 08:58:41:310 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths\\c:\\empirumagent
GPSVC(4ec.66c) 08:58:41:311 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\Quarantine\\PurgeItemsAfterDelay
GPSVC(4ec.66c) 08:58:41:311 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection
GPSVC(4ec.66c) 08:58:41:311 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection
GPSVC(4ec.66c) 08:58:41:311 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable
GPSVC(4ec.66c) 08:58:41:312 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring
GPSVC(4ec.66c) 08:58:41:312 DeleteRegistryValue: Deleted Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRawWriteNotification
.
GPSVC(4ec.66c) 08:58:42:062 ProcessGPOList: Extension Registrierung was able to log data. RsopStatus = 0x0, dwRet = 0, Clearing the dirty bit<\/p>\n<\/blockquote>\n

The error code 0x80004005 no longer appears in the log. Markus wrote that he can reproduce this behavior. His first speculation was that it could be due to the Defender settings. But during tests within the last days with different scenarios there was a crude error pattern. <\/p>\n