Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Wednesday, July 8, 2015

Problems Pushing Software via GPO Leads Me to Group Policy 1058 Error 65

After I pushed out this month's Adobe Patch via group policy, I wasn't getting one of my test systems to process the patch. I found the following message in the system log:

Source: Group Policy
Event ID: 1058
The processing of Group Policy failed. Windows attempted to read the file \\\SysVol\\Policies\{49BA4D4E-A307-40D3-A809-67CE80C5165A}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

If you flip over to the details tab, it says ErrorCode 65, and farther down that Network access is denied.

This problem is directly related to the group policy settings that Microsoft recommended to harden group policy, and is outlined in MS15-011 and MS15-014.

Apparently, some enterprising gent had this issue before, opened a case with Microsoft, and posted the case resolution at the bottom of this Technet forum post.

Resolution:- Suggested to edit the GPO for UNC hardening and change value of RequireMutualAuthentication & RequireIntegrity to 0 from 1 (previous value) for path \\*\NETLOGON & \\*\SYSVOL. We have confirmed that this is a known reported problem where we get ErrorDescription Network access is denied. In event id 1058 and group policy processing fails for computers when KB3004361 is applied.

I left NETLOGON alone - all of our login scripts in there appear to be processing normally, but I did change the SYSVOL to 0 and 0. After I performed gpupdate /force and rebooted twice, my software installed successfully and there was no GP 1058 error.

Tuesday, July 7, 2015