I recently in my lab environment discovered a group policy error that was quite interesting, I only got the error for some of my Windows 10 machines, so I started to investigate. In the end this was a total unnecessary troubleshooting, but during the time I learned that there are several CSEs not documented, there will be a post of all the CSEs in Windows 10 soon.
When running GPUpdate, this message appears
So what is the {F312195E-3D9D-447A-A3F5-08DFFA24735E} ?
(Not in my case, but in other cases this may point to a Group Policy Object Guid, and these can be discovered by either Group Policy Management Tool or just browse the \DomainSysVol)
Anyway in this case {F312195E-3D9D-447A-A3F5-08DFFA24735E} is a GUID for a Group Policy Extension or full name CSE, Client Side Extension. So basically I do what everyone else do, starting to browse MSDN, TechNet and searching for more information about the CSE, but no luck. I really needed to know about this problem, so now the troubleshooting start
All group policy extensions are listed in the registry
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonGPExtensions
And it looks something like this (Note! This may not be the same list you are seeing due to installed applications, features, tools etc)
So I found this information for my extension
ProcessVirtualizationBasedSecurityGroupPolicy, this bring your mind to Device Guard. So what GPOs are using this CSE? Open regedit and browse to the registry key
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyDataStoreMachine
and search for the GUID: {F312195E-3D9D-447A-A3F5-08DFFA24735E}
I got two hits (The extension GUID is found in the Extensions value)
One hit was for the local group policy
One central GPO for Device Guard/Credential Guard, so I started looking at the central GPO.
I disabled the link, by right clicking the GPO and uncheck Link Enabled
I re-ran GPUpdate /force at the client to be sure that all group polices are refreshed.
Finally the result was successful!
Ok to sum this up
One of the requirements for Device Guard or Virtualization Based Security is the feature Hyper-V Hypervisor, and this is not possible to enable in VMs. (OK, yes, it is possible if you enable nested Hyper-V, but I haven’t done that, because it does not work together with Isolated User Mode/vTPM)
When you enable the Device Guard policy it will automatically try to enable required features, and this is not possible since it is not supported in VMs. So basically this is by design and the error message just tells you that VBS/VSM/Device Guard was not able to start and the CSE failed.
Make sure to only enable Virtualization Based Security/Virtual Based Security/Credential Guard/Device Guard on physical machines that have the correct hardware and software requirements, also remember to only enable the Secure Boot and DMA protection on hardware where this is supported else Credential Guard will not be enabled.
More about the requirements for Device Guard/Credential Guard may be found here
- https://technet.microsoft.com/en-us/library/mt483740%28v=vs.85%29.aspx#HARDWARE_AND_SOFTWARE_REQUIREMENTS
Some random resources about Client Side Extensions
- https://technet.microsoft.com/en-us/library/jj573586.aspx
- https://support.microsoft.com/en-us/kb/216357
- http://blogs.technet.com/b/mempson/archive/2010/12/01/group-policy-client-side-extension-list.aspx
- Remove From My Forums
-
Question
-
All our clients having issues applying a GPO with Device Guard settings since some days.
<Data Name=»ErrorCode«>2147942402</Data>
><Data Name=»CSEExtensionName«>{F312195E-3D9D-447A-A3F5-08DFFA24735E}</Data>
The Problem is that the registry value «HKLMSOFTWAREPoliciesMicrosoftWindowsDeviceGuardHypervisorEnforcedCodeIntegrity»
is missing.From Process Monitor:
08:54:33,2109386 svchost.exe 9820 RegQueryValue HKLMSOFTWAREPoliciesMicrosoftWindowsDeviceGuardHypervisorEnforcedCodeIntegrity NAME NOT FOUND Length: 144When I manually create a DWORD value «HypervisorEnforcedCodeIntegrity» with value 0 the error goes away and the policy applies fine again.
Windows 10 Enterprise 1607
Build 14393.970
- Remove From My Forums
-
Question
-
Hey Guys,
So, I have a new Windows 10 machine that we are trying to introduce to the network. Since this is a secure network it has to go through IA for approval and they need to link up to it and scan it with ACAS.
I started the Remote Registry service and attempted to enable ICMPv4 and v6 under Windows Firewall With Security, but I apparently didn’t have permissions to modify them even being the local administrator (the only account on the computer).
I googled my butt off and did everything I can find. The obvious options didn’t work for the same reasons I just mentioned «This is managed by your sys admin so some options may not be modified blah blah blah»
I opened gpedit.msc and enabled ICMP traffic on the Standard Profile and Domain Profile under the following path:
Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall
I checked every option available. Nothing…
I even used command line to create rules for windows firewall rules (why not right?) using netsh advfirewall firewall blah blah blah… I created ICMPv4 and v6 Echo Requests and Redirects. Still no luck, so I created rules allowing every type that I could
check.I’m at a loss. I do have McAfee on the machine, I turned that off completely just in case and still nothing.
As some background, I can ping anything FROM the machine, I just can’t PING the machine from anything else. I have full access to the domain resources and the machine even appears in ADUC.
I am racking my brain and any solution would be phenomenal!
Thanks,
Justin
- Remove From My Forums
-
Question
-
Hey Guys,
So, I have a new Windows 10 machine that we are trying to introduce to the network. Since this is a secure network it has to go through IA for approval and they need to link up to it and scan it with ACAS.
I started the Remote Registry service and attempted to enable ICMPv4 and v6 under Windows Firewall With Security, but I apparently didn’t have permissions to modify them even being the local administrator (the only account on the computer).
I googled my butt off and did everything I can find. The obvious options didn’t work for the same reasons I just mentioned «This is managed by your sys admin so some options may not be modified blah blah blah»
I opened gpedit.msc and enabled ICMP traffic on the Standard Profile and Domain Profile under the following path:
Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall
I checked every option available. Nothing…
I even used command line to create rules for windows firewall rules (why not right?) using netsh advfirewall firewall blah blah blah… I created ICMPv4 and v6 Echo Requests and Redirects. Still no luck, so I created rules allowing every type that I could
check.I’m at a loss. I do have McAfee on the machine, I turned that off completely just in case and still nothing.
As some background, I can ping anything FROM the machine, I just can’t PING the machine from anything else. I have full access to the domain resources and the machine even appears in ADUC.
I am racking my brain and any solution would be phenomenal!
Thanks,
Justin
This error occurs when applying the Microsoft W10 1709 security baseline to a W10 1709 device. The error will show when running GPUpdate on the command line as shown below, and in a GPResults report.
Cause
Since the W10 1703, Microsoft has removed the Untrusted Font Blocking setting from it’s security baseline.
As expected, the W10 1709 security baseline also does not have this setting, and support for the GPExtension that applies this setting has been removed from the OS altogether. However the GPO backup provided for the W10 1709 Computer Security baseline still includes this extension, even though the setting is not enabled, which is what causes the error you see above.
Fix
You can fix the problem by removing the MitigationOptions GPExtension GUID from the Microsoft backup and then re-importing the GPO into your environment.
To find the right extension GUID we run a GPResult /H gpresult.html on an affected client. Open the gpresult.htm and drill down into the MitigationOptions error until you find the details shown below, which displays the ExtensionId. You’ll need that GUID in a second.
Open the Backup.xml file located in the Microsoft baseline folder GPOs{50FB9D1D-4213-434F-9FD3-DC82D8201178}, this is the backup of the Computer security baseline. Locate the GUID you find in the ExtensionId field {2A8FDC61-2347-4C87-92F6-B05EB91A201A} and delete it from the MachineExtensionGuids tag.
Before
<MachineExtensionGuids>
<![CDATA[[{2A8FDC61-2347-4C87-92F6-B05EB91A201A}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{D76B9641-3288-4F75-942D-087DE603E3EA}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{F312195E-3D9D-447A-A3F5-08DFFA24735E}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]]]>
</MachineExtensionGuids>
After
<MachineExtensionGuids>
<![CDATA[[{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{D76B9641-3288-4F75-942D-087DE603E3EA}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{F312195E-3D9D-447A-A3F5-08DFFA24735E}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]]]>
</MachineExtensionGuids>
Save the Backup.xml, re-Import the baseline and voila, no more error.
Also, in case you were wondering, the other Mitigation Option setting Process Mitigation Options, uses a different GPExtension GUID and name.
Colin
Windows 10: Error on gpupdate /force
Discus and support Error on gpupdate /force in Windows 10 Customization to solve the problem; I got Windows 10 Enterprise version 1803, and it is client machine of our internal domain controller in our network.
I just found out it showed up…
Discussion in ‘Windows 10 Customization’ started by -KELLY-, Jun 25, 2019.
-
Error on gpupdate /force
I got Windows 10 Enterprise version 1803, and it is client machine of our internal domain controller in our network.
I just found out it showed up the error as below when I executed gpupdate /force from command prompt with Administrator permission.
————————-
Updating policy…
Computer Policy update has completed successfully.
The following warnings were encountered during computer policy processing:
Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings. {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings might have its own log file. Please click on the «More information» link.
User Policy update has completed successfully.For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
————————-
When I execute gpresult /h gpresult.html, and confirm the result, there are 3 errors listed as below.
First 2 errors link to the following Microsoft article after clicking more information links.
Understand the Effect of Fast Logon Optimization and Fast Startup on Group Policy
The error at the bottom give these 3 event IDs after clicking view log links.
———————————————
(Event ID) 4016
Starting {F312195E-3D9D-447A-A3F5-08DFFA24735E} Extension Processing. List of applicable Group Policy objects: (Changes were detected.)
(Event ID) 1085
Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings. {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings might have its own log file. Please click on the «More information» link.
(Event ID) 7016
Completed {F312195E-3D9D-447A-A3F5-08DFFA24735E} Extension Processing in 15 milliseconds.
———————————————
First of all I would like to identify what kind of group pollicy the «F312195E-3D9D-447A-A3F5-08DFFA24735E» is. I believe it is under the computer configuration, but there are a lot. How can I search it?
Also if there is any action I should take next for these links, any advice will be appreciated..
-
Win 10 Update Database Corruption
If you haven’t already, see if this below may help starting with step 2 using the ISO file you downloaded from me.
*Arrow https://support.microsoft.com/en-us/…81f-0x800f0907
-
Error code: 0x80071A91 when trying to enable .net framework 3.5
Can you please show me how to do this? i dont understand step 2 onwards
Configure the Group Policy as in Method 2, but also follow these steps:
- Mount the ISO image that’s created in step 1.
- Point the «Alternate source file path» to the ISO sourcessxs folder from the ISO.
- Run the gpupdate /force command.
- Add the .Net framework feature
-
Error on gpupdate /force
Error on gpupdate /force
-
Error on gpupdate /force — Similar Threads — Error gpupdate force
-
Errors After Windows 11 forced update
in Windows 10 Gaming
Errors After Windows 11 forced update: Hello,I have run across issues that get in the way of my gaming and productivity time. It has been a frustrating while since the pop up for windows 11 update prompts nagged me every time, I log in.I was then forced to update because of that fact. Later, it was fine. A couple… -
Errors After Windows 11 forced update
in Windows 10 Software and Apps
Errors After Windows 11 forced update: Hello,I have run across issues that get in the way of my gaming and productivity time. It has been a frustrating while since the pop up for windows 11 update prompts nagged me every time, I log in.I was then forced to update because of that fact. Later, it was fine. A couple… -
force update
in Windows 10 Gaming
force update: My computer automatically updated without my notice. It restarted and not it is stuck on welcome screen for an hour. I dont know what to do from here since I dont want to mess up the machine. This is just 2 years old Windows 10…. -
GPO Mapped Shared Drives Disappearing — Unable to run gpupdate
in Windows 10 Network and Sharing
GPO Mapped Shared Drives Disappearing — Unable to run gpupdate: Our IT team has noticed a problem with a variety of seemingly related symptoms on several different machines, with multiple different user accounts, each in a different OU for policy.The initial problem that is obvious is that user’s network drives are disappearing when then… -
Forced restart and various blue screen errors
in Windows 10 BSOD Crashes and Debugging
Forced restart and various blue screen errors: Hello all. I have a peculiar situation.I bought a new Dell XPS 15 with Windows 10 Home. When I set it up, I had to do initial updates and all was fine for two weeks until yesterday — the whole system went crazy. I kept getting Blue Screen messages upon boot and during the… -
I’ve messed with the LAN settings, command prompt ipconfig and GPUPDATE
in Windows 10 Ask Insider
I’ve messed with the LAN settings, command prompt ipconfig and GPUPDATE: I just built my own PC like 6 days ago and now I’ve been getting the «the remote device won’t accept the connection wifi» Error and I’ve been searching and trying solutions from anywhere and literally none of them have worked. I’ve messed with the LAN settings, command prompt… -
Force shutdown
in Windows 10 Ask Insider
Force shutdown: HelloEversince I’ve been using Windows 10 I have been struggling with many bugs and blue screens. Ok well I’m used to it now.
But the thing is, when the computer is stuck, I’m unable to force shutdown and force restart it.
I need to wait for the battery to be depleted….
-
Group policy only works after «gpupdate /force»
in AntiVirus, Firewalls and System Security
Group policy only works after «gpupdate /force»: Hello,I want to enforce the Windows Defender Real-time Protection by group policy, but it isn’t working as intended.
I set the group policy setting «Turn off real-time protection» to «disabled».
I can now check if the group policy loads for me, by using «gpresult /V…
-
Forced updates
in Windows 10 Installation and Upgrade
Forced updates: I have Windows 10 Creator’s Edition. Why don’t I get this prompt?https://www.cnet.com/news/microsoft-forced-windows-update-auto-restart-snooze-indefinitely-windows-10/
It forces updates whenever it feels like just like always….
Users found this page by searching for:
-
windows failed to apply the {f312195e-3d9d-447a-a3f5-08dffa24735e} settings hyper-v server
,
-
nu vot
,
-
error gpupdate
,
- gpupdate the following warnings were found,
- event string: windows failed to apply the {f312195e-3d9d-447a-a3f5-08dffa24735e} settings. {f312195e-3d9d-447a-a3f5-08dffa24735e} settings might have its own log file. please click on the more information link.,
- event id 7016 windows 10 gpupdate
ManieyaK_
asked on 9/18/2018
GPO fails to apply User Policies, Computer Policies applied successfully. Below is the output:
Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings. {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings might have its own log file. Please click on
the «More information» link. User Policy update has completed successfully.
Not sure how to correct.
Windows OSActive Directory
I assume you meant that is the output from a gpupdate.
Instead use the GP Results Wizard in the GP MAnagement Console (GPMC.) It’ll tell you every applied and failed update, and for the most part will tell you WHY. (Filtered out by security setting, WMI filter, etc.)
IF something fails for another reason, time to look at the event logs (on the client, not the server) and look for the component responsible for that policy.
You machine is able to retrieve its GPO settings but can’t apply them completely. The eventlog for Group Policy can give a lot of information about the reason why processing this GPO fails.
To view the Group Policy operational log:
1. Start the Event Viewer.
2. Click the arrow next to Applications and Services Logs.
3. Click the arrow next to Microsoft, and then Windows, and then Group Policy.
4. Click Operational.
So the same results for every machine on the network, after running GPUPDATE Force System Policy finishes fine, just the user policy always fails on every machine. SO do i need to check the event log of all of our machines?
Thanks.
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a
7-Day free trial
and enjoy unlimited access to the platform.
Okay so I’ve got a few warnings
EventID 6033 (All three)
— «Skipped Audit Policy Configuration Extension based on GP client-side-processing rules. Refer to a Resultant Set of Policy report for more info.
— «Skipped {F312195E-3D9D447A-A3F5-08DFFA24735E} Extension based on Group Policy client-side-processing rules. Refer to a Resultant Set of
Policy report for more info.»
— » Skippped MitigationOptions Extension based on Group Policy client-side-processing rules. Refer to a Resultant Set of
Policy report for more info.»