Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Wednesday, July 8, 2015

Problems Pushing Software via GPO Leads Me to Group Policy 1058 Error 65

After I pushed out this month's Adobe Patch via group policy, I wasn't getting one of my test systems to process the patch. I found the following message in the system log:

Source: Group Policy
Event ID: 1058
The processing of Group Policy failed. Windows attempted to read the file \\contoso.com\SysVol\contoso.com\Policies\{49BA4D4E-A307-40D3-A809-67CE80C5165A}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

If you flip over to the details tab, it says ErrorCode 65, and farther down that Network access is denied.

This problem is directly related to the group policy settings that Microsoft recommended to harden group policy, and is outlined in MS15-011 and MS15-014.

Apparently, some enterprising gent had this issue before, opened a case with Microsoft, and posted the case resolution at the bottom of this Technet forum post.

Resolution:- Suggested to edit the GPO for UNC hardening and change value of RequireMutualAuthentication & RequireIntegrity to 0 from 1 (previous value) for path \\*\NETLOGON & \\*\SYSVOL. We have confirmed that this is a known reported problem where we get ErrorDescription Network access is denied. In event id 1058 and group policy processing fails for computers when KB3004361 is applied.

I left NETLOGON alone - all of our login scripts in there appear to be processing normally, but I did change the SYSVOL to 0 and 0. After I performed gpupdate /force and rebooted twice, my software installed successfully and there was no GP 1058 error.

7 comments:

  1. Be aware this workaround negates UNC hardening. The systems to which you apply the workaround will be susceptible to the MITM/RCE vulnerability MS15-011 is intended to address. Ideally, this would be a temporary workaround.

    ReplyDelete
  2. Thanks! Yeah as soon as I get a decent patch mgmt solution in here I'll go back to the secure method. It's sad that MS pushed this workaround but didn't say anything about it interfering with software deployment, but I guess I should have expected issues with MS's testing being.... less than ideal.

    ReplyDelete
  3. Thanks, you saved my ass! Brand new envirorment Win 2012 R2 with 20 Win 10 x64. It worked for 2 weeks and than this....i really love Microsoft...9000 euro worth of licences ... i feel like vomiting now...
    Sorry for the rant.

    ReplyDelete
  4. See: http://i.imgur.com/MZSHfOV.png

    ReplyDelete
  5. Thanks for helping me out! I was already writing a broad email to one of microsoft dynamics partners, not knowing that the solution could be so simple.
    Cheers!

    ReplyDelete