Group policy of Trusted Sites don't update on some machines

We have some machines which the trusted sites policy don't update anymore. Where all the other computer do update their list of trusted websites.
They are in the same OU and receive the same policies. But when I compare an export of the registry of the trusted websites I can see a clear difference.
Can it be resolved?

Hi Michael140,
Based on my understanding, some clients which should be configured trusted sites policy do not update anymore. However, some clients which are in the same OU
work fine. Right?
Firstly, please run
Gpupdate /force on the command prompt of problematic clients to
apply the GPO settings.
Then
Please run the following command on the problematic workstation and clients which work fine to check the difference of the applied GPOs.
Gpresult /h > C:\temp\gpresult.html (“C:\temp\”is the path of the gpresult.html, you can set it yourself)
This file gpresult.html is used for checking the resultant of Group Policy information
Regards,
Lany Zhang

Similar Messages

Event 4098 Group Policy Printers, Printers intermittently don't deploy

Hi,
On a similar vein to this topic We also deploy printers Via the Server 2008 group policy preferences. All our PC's are Vista Business 32bit SP1. The problem we are having is that intermittently the printer will not install at logon. If you logoff and back on again it is there. On one particular PC I found this event in the Applications log.
Log Name:      Application
Source:        Group Policy Printers
Date:          13/01/2009 4:07:48 PM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      E-HSS.cygnet.library.uwa.edu.au
Description:
The user 'HSSClient1' preference item in the 'Client Vista Domain Policy SP1 {A85CA6F0-874B-467F-B50A-939E64932884}' Group Policy object did not apply because it failed with error code '0x80070709 The printer name is invalid.' This error was suppressed.
Event Xml:
<System>
    <Provider Name="Group Policy Printers" />
    <EventID Qualifiers="34305">4098</EventID>
    <Level>3</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-01-13T07:07:48.000Z" />
    <EventRecordID>37184</EventRecordID>
    <Channel>Application</Channel>
    <Computer>E-HSS.cygnet.library.uwa.edu.au</Computer>
    <Security UserID="S-1-5-18" />
Now if this error happened every time we would change the name of the printer to be something more "Valid" but it doesn't and we can logon again and the printer installs fine. Can someone explain to me why it thinks HSSClient1 is invalid intermittently?
From this thread I investigated the print processor of one of our printer queues and found is was not set to 'WinPrint' So on HSSClient1 I set the print processor to 'WinPrint'. Do all printers managed/deployed by Group Policy preferences need to have their processor set to WinPrint?
Regards
Jason Langoulant
UWA Library I.T.

Hi,
Regarding print processors , third party print processors are supported but not recommended. Print processors are user-mode dynamic-link libraries that are responsible for converting the spooled data of a print job to a format that can be sent to a print monitor. Print processors are also responsible for handling program requests to pause, to resume, and to cancel print jobs. But Print processors would be started during system startup. It’s not related to this GPO issue.
This issue may occur if you create the Printer as TCP/IP printer. Please try to delete the original printer and try to create a new shared Printer in Group Policy Preferences.
However, if it’s the original printer is not TCP/IP printer, please also try to recreate it and help to run the MPS report (PFE version) on the clients to collect reports. The MPS Reporting Tool is utilized to gather detailed information regarding a systems current configuration. The data collected will assist you with fault isolation.
A . Please download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link:
(http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en)
Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location.
B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up.
C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]?
D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. After collecting, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address.
Thanks.

Force run apps don't deploy on some machines causing zen icons toflash at intervals

I'm having a problem lately, with new apps that I'm creating (for
example Acrobat Reader 9.4) not deploying on some machines. I have them
set to force run, user associated. They appear in application explorer,
and if I manually launch them, they will install just fine. I have
conditions for availability based on version, so if the app has been
installed, it will no longer show in application explorer.
I had this happen a few months ago, and I thought it was one particular
app I had just sent out, so I just manually ran it on the affected
workstations, but now I'm seeing the same workstations having the issue.
The workstations are running the last released ZDM 7 agent, and the
Servers are Netware 6.5 SP8 patched up to the last released Zen 7
version. (I removed the existing agent and reinstalled the latest agent
HP4, msi dated 5/14/2010)
I've deleted nalcache, and that had no effect. Naldiag shows the apps
are there and passed the tests, but I think that there is actually a
problem with another app that had been previously created that is
preventing these from working.
I'm just looking for some areas to check to figure this out. I'm not
seeing any errors, it just doesn't launch the force run apps. The vast
majority of the machines run them absolutely fine.
-------------- Update ---------------
I was waiting to post this to check one more thing, and I had to reboot
the machine. The user had gone home for the day so I logged in as a
different user and now the apps are deploying, so this appears to be
something perhaps in the registry for that user? I was afraid this
would happen.. I'll have to find another broken machine to do further
testing on.
Any ideas how to track this down? The apps that were "stuck" are new
applications, they aren't modified old applications where I would be
worried about the guid being changed or anything weird.
I'm guessing the moment I create another force run app to update
something that I am going to see the exact same problem recur.

On 11/4/2010 9:12 AM, Anders Gustafsson wrote:
> Patrick Farrell,
>> Thanks, it's very annoying as it prevents a lot of updates going out.
>> The vast majority of machines work just fine. I just can't figure out
>> why something set to force run would not, however you can install the
>> app by double clicking it in app explorer just fine, at which point the
>> refresh every 30 seconds goes away. It's hard to even look at naldiag
>> because the list starts to refresh not long after it displays.
>
> Shaun said:
> logs, and take things away until it works, then add things back until
> it breaks...
>
There's nothing of interest in the logs that I can find. As for taking
things away, I thought about that as well, however when I set up a brand
new machine and install zen, all of the applications force run just fine
and install... Very odd. What makes the workstations stop blinking is
for me to remove the force run on the new apps, or manually run them.
I guess I could take away force run on all the other stuff that's
already installed, that would be rather strange for one of those to be
the culprit.

SCCM 2012 Clients at Secondary Site don't update and shows status as INACTIVE

I have 1 Primary site and 1 Secondary sites. I have setup Secondary site Boundaries using IP subnet. I see that the systems from secondary
site show in the console and they all have clients installed but however 60% of the system shows client activity as INACTIVE and not receiving any heartbeat DDR none of the system showing hardware inventory. I am not positive
where to look as far as logs are concerned. I think the clients aren't receiving policy like they should.
Just to give a brief idea, Secondary Site server crashed and we had to rebuild the server and re install secondary site after rebuilding all the
problem. Everything is working fine in Primary site.
Secondary site is communicating with primary site MP and DP
I have checked MPcontrol.log it shows status as OK
I am able to install client through console but yes when I check the configuration manager properties it shows CCM Notification Agent as DISSABLED
and in the Action Tab Machine and User policy are the only cycles showing.
Checked replmgr.log and rclctrl.log but it’s not showing any error
Only log file which shows error is bgdserver.log ( pasting log errors )
ERROR: SQL exception when retrieve client certificate from DB. Exception: The EXECUTE permission was denied on the object 'sp_GetPublicKeyForSMSID', database 'CM_PRI',
schema 'dbo'. -2146232060           SMS_NOTIFICATION_SERVER     05-07-2014 12:09:01               3968 (0x0F80)
ERROR: Can't do post authentication without client certificate stored in regsitration.            SMS_NOTIFICATION_SERVER
05-07-2014 12:09:01                3968 (0x0F80)
ERROR: Failed to authenticate with client [::ffff:10.5.55.88]:49623.        SMS_NOTIFICATION_SERVER     05-07-2014
12:09:01               3968 (0x0F80)
ERROR: SQL exception when retrieve client certificate from DB. Exception: The EXECUTE permission was denied on the object 'sp_GetPublicKeyForSMSID', database 'CM_PRI',
schema 'dbo'. -2146232060           SMS_NOTIFICATION_SERVER     05-07-2014 12:09:01               3968 (0x0F80)
ERROR: Can't do post authentication without client certificate stored in regsitration.            SMS_NOTIFICATION_SERVER
05-07-2014 12:09:01                3968 (0x0F80)
ERROR: Failed to authenticate with client [::ffff:10.5.62.68]:49923.        SMS_NOTIFICATION_SERVER     05-07-2014
12:09:01               3968 (0x0F80)
ERROR: SQL exception when retrieve client certificate from DB. Exception: The EXECUTE permission was denied on the object 'sp_GetPublicKeyForSMSID', database 'CM_PRI',
schema 'dbo'. -2146232060           SMS_NOTIFICATION_SERVER     05-07-2014 12:09:06               3968 (0x0F80)
ERROR: Can't verify signature in message without client certificate for client SCCM GUID:B47059B1-D4E4-41A2-BC88-486A597FE399
SMS_NOTIFICATION_SERVER     05-07-2014 12:09:06               3968 (0x0F80)
ERROR: Invalid hook to be decoded. Authentication                SMS_NOTIFICATION_SERVER
05-07-2014 12:09:06               3968 (0x0F80)
ERROR: Failed to decode message body (<BgbSignInMessage TimeStamp="2014-07-05T06:39:01Z"><ClientType>SCCM</ClientType><ClientVersion>5.00.7804.1000</ClientVersion><ClientID>GUID:B47059B1-D4E4-41A2-BC88-486A597FE399</ClientID></BgbSignInMessage>)
with message header
Help me resolve this issue as I am struggling to resolve this for almost 2 weeks.
Please let me know which logs are helpful and I'll try to add it to replies.

Hi,
Quote:"see that the systems from secondary site show in the console and they all have clients installed but however 60% of the system shows client activity as INACTIVE and not receiving any heartbeat DDR none of the system showing hardware inventory. "
So not all the clients show inactive? Have you checked the logs in an inactive client? Such as ClientIDManagerStartup.log.
Have you checked Secondary Site server's computer name from SQL logins? You could try to remove this account, wait a while, recreate the same computeraccount login with sysadmin access. (http://social.technet.microsoft.com/Forums/en-US/d5383c23-6b71-47cc-9fad-fda82a44a3aa/secondary-site-showing-inactive-clients?forum=configmanagerdeployment)
You could use Configuration Analyzer for System Center 2012 R2 to troubleshoot issues.
http://technet.microsoft.com/en-us/library/dn469435.aspx
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Trying to setup a group policy to force auto detect proxy setting on multiple machines on our network

We have the proxy configured on our computers to use a pac file, now we need to remove the pac and set it to auto detect proxy on our network. Do you have a adm file that works with 7.0.1 or another way to push this out on multiple pc's.

You can use a mozilla.cfg file in the Firefox program folder to lock prefs or specify new (default) values.
Place a file local-settings.js in the defaults\pref folder where you also find the file channel-prefs.js to specify using mozilla.cfg.
pref("general.config.filename", "mozilla.cfg");
pref("general.config.obscure_value", 0); // use this to disable the byte-shift
See:
*http://kb.mozillazine.org/Locking_preferences
You can use these functions in mozilla.cfg:
defaultPref(); // set new default value
pref(); // set pref, but allow changes in current session
lockPref(); // lock pref, disallow changes
*http://kb.mozillazine.org/network.proxy.type
*http://kb.mozillazine.org/network.proxy.%28protocol%29
*http://kb.mozillazine.org/network.proxy.%28protocol%29_port

Domain Group Policy changes causes clients to be unable to connect to WSUS for Windows Updates

Domain Controller is Windows Server 2008 R2 64-bit, Group Policy Management version 6.0.0.1. WSUS server is Windows Server 2008 Enterprise 32-bit, Update Services version 3.2.7600.226. Client machines are Windows 7, some are 64-bit and some are 32-bit.
Every time we make any changes to any of our Group Policies most of our clients stop getting their Windows Updates from the WSUS server within 2-3 days. This occurs when we add a new policy for a group of users, temporarily disable a policy or edit a policy.
Check of the WindowsUpdate.log on affected client machines shows:
2014-06-25 13:40:44:976 760 1610 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-25 13:40:44:977 760 1610 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PTError: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
A further check of the log files shows:
2014-06-21 19:36:06:995 156 1b0c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <proxy server name:8080> Bypass List used : <(null)> Auth Schemes used : <>
We do not use a proxy except for Internet connections. We configure IE with a pac file. This is set through Group Policy since we restrict user accounts from being able to set it.
The clients that are connecting to the WSUS server have these entries instead:
2014-06-24 09:12:16:779 992 270 Agent Setting download properties on call A20329BC-3467-4B7E-B9F4-6AC6ACBA23E1: priority=3, interactive=1, owner is system=0, proxy settings=1, proxy session id=2
I have a routine that will fix the problem but it is time-consuming and pulls me away from other things I should be doing:
Run registry files on client machine (WindowsUpdate and AU) This is not always necessary and is already set by Group Policy and the affected clients already have the registry settings. No idea why it is necessary to do but it the steps below don't always
work unless it is.
netstop bits and netstop wuauserv
ipconfig /flushdns
Delete qmgr*.* files from Downloader folder
Delete Software Distribution folder
Run from command prompt:
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
netstart bits and netstart wuauserv
wuauclt /resetauthorization /detectnow
Run Windows Updates again from Control Panel
This routine always fixes the problem but I've found that I must do each step to guarantee success.
How or where is the proxy setting being changed for WSUS that we see in the WindowsUpdate logs and how do I prevent this from happening? It is also curious that it happens to most but not all of the client machines. When it does happen it's not always the
same client machines.

You're right - the WSUS server is on the inside and does not need a proxy server. Tried running the netsh winhttp reset proxy command but was still not able to connect to the WSUS server. After running the netsh winhttp reset proxy command received response:
Current WinHTTP proxy setting: Direct access <no proxy server>.
Ran the command at 13:49 and then tried Windows Updates again. Here's snippet from the log file:
2014-06-27 13:49:56:889 548 f6c AU Triggering AU detection through DetectNow API
2014-06-27 13:49:56:890 548 f6c AU Triggering Online detection (interactive)
2014-06-27 13:49:56:890 548 4b8 AU #############
2014-06-27 13:49:56:890 548 4b8 AU ## START ## AU: Search for updates
2014-06-27 13:49:56:890 548 4b8 AU #########
2014-06-27 13:49:56:893 548 4b8 AU <<## SUBMITTED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:49:56:893 548 1260 Agent *************
2014-06-27 13:49:56:893 548 1260 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:49:56:893 548 1260 Agent *********
2014-06-27 13:49:56:893 548 1260 Agent   * Online = Yes; Ignore download priority = No
2014-06-27 13:49:56:893 548 1260 Agent   * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1
or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2014-06-27 13:49:56:893 548 1260 Agent   * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-06-27 13:49:56:893 548 1260 Agent   * Search Scope = {Machine}
2014-06-27 13:49:56:893 548 1260 Setup Checking for agent SelfUpdate
2014-06-27 13:49:56:893 548 1260 Setup Client version: Core: 7.6.7600.256 Aux: 7.6.7600.256
2014-06-27 13:49:56:894 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:901 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:927 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:934 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:936 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:943 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:956 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:962 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:974 548 1260 Setup Determining whether a new setup handler needs to be downloaded
2014-06-27 13:49:56:974 548 1260 Setup SelfUpdate handler is not found. It will be downloaded
2014-06-27 13:49:56:974 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:976 548 1260 Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:976 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:989 548 1260 Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:989 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:57:007 548 1260 Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:57:007 548 1260 Setup SelfUpdate check completed. SelfUpdate is NOT required.
2014-06-27 13:49:57:165 548 1260 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-06-27 13:49:57:165 548 1260 PT   + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
http://(FQDN of WSUS server)/ClientWebService/client.asmx
2014-06-27 13:49:57:175 548 1260 PT WARNING: Cached cookie has expired or new PID is available
2014-06-27 13:49:57:175 548 1260 PT Initializing simple targeting cookie, clientId = 6be4a1ae-3313-4855-bdb1-57e3312f03ec, target group = AGENCIES, DNS name = dpk2.clear-rcic.rcc.org
2014-06-27 13:49:57:175 548 1260 PT   Server URL =
http://(FQDN of WSUS server)/SimpleAuthWebService/SimpleAuth.asmx
2014-06-27 13:50:57:280 548 1260 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(proxy server):8080> Bypass List used : <(null)> Auth Schemes used : <>
2014-06-27 13:50:57:281 548 1260 PT   + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2014-06-27 13:50:57:281 548 1260 PT   + Caller provided proxy = No
2014-06-27 13:50:57:281 548 1260 PT   + Proxy list used = webgate.rcc.org:8080
2014-06-27 13:50:57:281 548 1260 PT   + Bypass list used = <NULL>
2014-06-27 13:50:57:281 548 1260 PT   + Caller provided credentials = No
2014-06-27 13:50:57:281 548 1260 PT   + Impersonate flags = 0
2014-06-27 13:50:57:281 548 1260 PT   + Possible authorization schemes used =
2014-06-27 13:50:57:281 548 1260 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-27 13:50:57:281 548 1260 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: Sync of Updates: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 Agent   * WARNING: Failed to synchronize, error = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent   * WARNING: Exit code = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent *********
2014-06-27 13:50:57:282 548 1260 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:50:57:282 548 1260 Agent *************
2014-06-27 13:50:57:282 548 1260 Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2014-06-27 13:50:57:302 548 e04 AU >>## RESUMED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU   # WARNING: Search callback failed, result = 0x80072EE2
2014-06-27 13:50:57:302 548 e04 AU   # WARNING: Failed to find updates with error code 80072EE2
2014-06-27 13:50:57:302 548 e04 AU #########
2014-06-27 13:50:57:302 548 e04 AU ## END ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU #############
2014-06-27 13:50:57:303 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:303 548 e04 AU AU setting next detection timeout to 2014-06-27 22:50:57
2014-06-27 13:50:57:304 548 e04 AU Setting AU scheduled install time to 2014-06-28 05:00:00
2014-06-27 13:50:57:304 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:305 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:51:02:285 548 1260 Report REPORT EVENT: {BD25B39C-6570-454C-A046-AF3AF2DEBDD4} 2014-06-27 13:50:57:282-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 AutomaticUpdates Failure Software
Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2014-06-27 13:51:02:295 548 1260 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2014-06-27 13:51:02:295 548 1260 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
2014-06-27 13:51:02:295 548 1260 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:184 548 4b8 AU ########### AU: Uninitializing Automatic Updates ###########
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:252 548 4b8 Service *********
2014-06-27 13:51:48:252 548 4b8 Service ** END ** Service: Service exit [Exit code = 0x240001]
2014-06-27 13:51:48:252 548 4b8 Service *************
2014-06-27 13:51:53:002 548 160c Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0400) ===========
2014-06-27 13:51:53:002 548 160c Misc   = Process: C:\Windows\system32\svchost.exe
2014-06-27 13:51:53:002 548 160c Misc   = Module: c:\windows\system32\wuaueng.dll
Ran a batch file which resets the AU and WindowsUpdate registry keys and then runs the steps listed above:
regedit /s C:\WindowsUpdate.reg
regedit /s C:\AU.reg
net stop bits
net stop wuauserv
Ipconfig /flushdns
del C:\ProgramData\Microsoft\Network\Downloader\qmgr*.*
del /F /Q C:\Windows\SoftwareDistribution\*.*
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
After this runs, am able to connect to WSUS server for updates. I mentioned Group Policy changes because this only breaks after the Group Policy changes. It doesn't affect every client machine but most of them. Was wondering how the proxy gets reset from
none to the proxy server for Windows Updates?

Group Policy for IE 9, 10, 11

We have a mix of IE 9, 10, 11. When we deployed IE 10, 11 we updated ADM;s to coonfigure IE 10, 11 group policy.
Now we have separate policies for IE 9, and IE10,11 as some settings change. However I have few questions:-
1. If i want to change IE9 GPO settings, how can i do? As on all the machines when i open GPMC, it shows IE10, 11 settings and not IE maintenance thing.
2. What is the significance of Require server verifications for all sites in this zone in the IE trusted sites? Also, it is checked by default and how can we change it using group policy?
Please share your expert views on either or both questions. Appreciate any help!!

Hi,
1. If i want to change IE9 GPO settings, how can i do? As on all the machines when i open GPMC, it shows IE10, 11 settings and not IE maintenance thing.
IEM will no longer work on computers where Internet Explorer 10 or newer is installed, regardless of the Windows version it’s been installed on. You must update your settings using Group Policy Preferences, Administrative Templates (.admx), or the Internet
Explorer Administration Kit (IEAK).
http://blogs.msdn.com/b/asiatech/archive/2014/05/12/how-to-apply-the-content-of-ie-settings-in-gpo-which-used-iem-ie-maintenance-before-ie10-to-ie10-version-since-iem-has-been-deprecated-begin-from-ie10.aspx
2. What is the significance of Require server verifications for all sites in this zone in the IE trusted sites? Also, it is checked by default and how can we change it using group policy?
Only sites with https:// prefix can be added to the Zone, it assures a secure connection
This option is not avilable via GPP, but we can control it via registry, the related keys are stored under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
you can find detailed information in the following link
http://support.microsoft.com/kb/182569/en-us
Then we can deploy the registry setting to all via GPO.
Yolanda Zhu
TechNet Community Support

Proxy details keep deleting from field in Group Policy Preferences for IE 10 on windows 7 and 8

We have a lot of users who on the last update and have seemed to manage to install IE 10 onto their windows 7 machines as now causing all sorts of issues. I know that IEM has been replaced in favour of Group Policy Preferences and I have build a windows
8 machine just to create a group policy preference as you are unable to create the preferences from windows 7, thank you Microsoft!
I have created a test OU and got a win 7 and a win 8 machine both with IE 10 for testing. I have created the preference settings, home page etc and disabled using the F keys the advanced features that we do not require as from reading in other post even
if it is not ticked, if it is green then it will apply it, kinda defeats the using the tick but it is what it is!
When we do a gpupdate it picks up the default homepage as well as other settings but the proxy settings is blank. I then went back into the preferences I created for IE 10 and checked the connections, LAN settings and the proxy server name is missing but
both ticks are showing for the proxy settings and when you click on advanced it shows the proxy server and port details fine. I have been working on this now for 4 days and getting no where to a point were we just roll back any users on IE 10 back to IE 9.
I have also unlinked any other gpo relating to Internet settings on the test OU just in case there are conflicts. Any ideas as where to go from here?

In the end to get around the proxy settings I had to create a registry key preference with proxy and port details which seemed to have done the trick and now IE 10 is picking up the proxy details and displaying webpages

Trusted Sites GPO only works for administrators

I've got a major problem and was hoping somebody could help me. I've got a hundred users or so that connect to an RDS Farm. The RDS farm is made up of several Windows Server 2008 R2 servers. One with IE 10 and the other with IE 8.
The problem that I'm having is if add sites to zone assignment in group policy and add sites to the trusted zone it will only work for users that are administrators. I found a reference to this problem and the issue being IE Enhanced Security, but
Enhanced Security is turned off.
If I'm a normal user with Remote Desktop User rights and I go into IE and check Trusted Sites, there is nothing there. If I login as administrator and check I can see all the trusted sites.
Anyone know how I can fix this?

Hi Cyprus,
Please check if you have the computers or users needing the policy are in a group that is specified. Remember that domain users includes all users, domain computers includes all computer, and authenticated users includes both users and computer. By
default, a GPO will be scoped to Authenticated Users.
Also please run gpresult command on non-administrator user to check if it sync to client successfully.
In addition, I suggest you ask Group Policy forum for more professional help:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverGP
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
Karen Hu
TechNet Community Support

Group Policy servers WARNING Event ID:4098

Hi All,
On our Domain controller we get every 5minutes the following error:
Event ID: 4098
User: NT AUTHORITY\SYSTEM
Source: Group Policy Services
Description:
The computer 'Application Updater' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy object did not apply because it failed with error code '0x80070424 The specified service does not exist as an installed
service.' This error was suppressed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I just can't figure out what gpo setting is causing the problem....??
Anybody an idea how to solve this?

Hi,
According to the event description: The computer "Application Updater" preference item in the default domain policy..., we should troubleshoot this issue follow the steps as below:
1. As the GPO is Default Domain Policy, so the policy should be applied to all DCs and client, if the issue only occur on one of you DC, please check all the services, and find out the differences between DC and client.
2. Open Default Domain Policy, expand Computer Configuration, Preferences, Services. If you have new a service, please delete it and then check the result.
3. If the issue still there after the above troubleshoot, I would like suggest you to do DCGPOFIX.EXE, this tool could let us set the Default Domain Controller to the default setting.
DCGPOFIX - to be used - only in the last resort
http://blogs.technet.com/b/janelewis/archive/2006/09/22/458132.aspx
Hope this helps.
Best Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Where can I download Group Policy Health Check Tool v.1.0?

I once saw a screenshot of this tool (Group Policy Health Check Tool v.1.0) from some document. However, when I search on line for it, it looks like this tool simply does not exist. Can someone help me?

Hi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback
on our support quality, please send your feedback here.
Andy Qi
TechNet Community Support

Group policy Query

Someone please help me to disable the Group policy for only one machine.(atleast wsus Group policy)
Please share the step by step details.

<![LOG[Its a WSUS Update Source type ({508E7B21-0DA1-4AED-B1FA-03AD7D9A49DD}), adding it.]LOG]!><time="20:13:20.083-330"
date="04-09-2014" component="WUAHandler" context="" type="1" thread="2508" file="sourcemanager.cpp:1232">
<![LOG[Unable to read existing resultant WUA policy. Error = 0x80070002.]LOG]!><time="20:13:20.083-330"
date="04-09-2014" component="WUAHandler" context="" type="2" thread="2508" file="sourcemanager.cpp:920">
<![LOG[Enabling WUA Managed server policy to use server: http://SCCM.ABC.in:8530]LOG]!><time="20:13:20.083-330"
date="04-09-2014" component="WUAHandler" context="" type="1" thread="2508" file="sourcemanager.cpp:948">
<![LOG[Waiting for 2 mins for Group Policy to notify of WUA policy change...]LOG]!><time="20:13:20.108-330"
date="04-09-2014" component="WUAHandler" context="" type="1" thread="2508" file="sourcemanager.cpp:954">
<![LOG[Timed out waiting for Group Policy notification.]LOG]!><time="20:15:20.109-330" date="04-09-2014"
component="WUAHandler" context="" type="1" thread="2508" file="sourcemanager.cpp:95">
<![LOG[Unable to read existing WUA resultant policy. Error = 0x80070002.]LOG]!><time="20:15:20.109-330"
date="04-09-2014" component="WUAHandler" context="" type="2" thread="2508" file="sourcemanager.cpp:958">
<![LOG[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and
Policy NOT CONFIGURED]LOG]!><time="20:15:20.112-330" date="04-09-2014" component="WUAHandler" context="" type="3" thread="2508" file="sourcemanager.cpp:1013">
<![LOG[Failed to Add Update Source for WUAgent of type (2) and id ({508E7B21-0DA1-4AED-B1FA-03AD7D9A49DD}).
Error = 0x87d00692.]LOG]!><time="20:15:20.113-330" date="04-09-2014" component="WUAHandler" context="" type="3" thread="2508" file="cwuahandler.cpp:2325">
WSUS settings will be assigned by SCCM Server basically, but in above the error the settigns has been overridden by GPO it seems.
I have created new OU and moved the test machine to that OU and disabled all Group policy.
Still the issue persist.
Note: Some GPO issue is already there in my environment (Computer policy will not refresh for any clients)

Uninstalling older versions of reader using Group Policy

I am using Group Policy to deploy Acrobat reader version 8.1.2 - however this does not do an upgrade to older versions or delete older versions. is there a way to do uninstalls or upgrades to the latest version using group policy?
Thanks.

Adobe Reader usually updates fine from one version to the subsequent next (e.g. from 9 to 10).
However, this does not always work well when skipping some versions (e.g. from 7 to 10). In this case I always recommend to uninstall the previous version first.

GPP Scheduled Task Fails in Group Policy Modeling depending on DC

We have multiple domain controllers running at a 2003 functional level.
We have 1 DC running Server 2003 x86 SP2 and the rest run Server 2008 (maybe R2)
I created a GPO that includes a Scheduled Task Group Policy Preference under Computer Configuration.
In order to test this I used Group Policy Modeling in the GPMC on a 2008 R2 Machine where I am editing Group Policy.
If I run the modeling (perform the simulation on the 2003 DC it fails. (Note I am modeling the GPO for a different computer, not the 2003 SP2 DC, I am running the modeling for a Workstation)
Information from the Component Status on the Summary Tab of the Modeling Report
Component Name Status
Group Policy Infrastructure Success
EFS recovery Success (no data)
Group Policy Scheduled Tasks Failed
Group Policy Scheduled Tasks failed due to the error listed below and failed to log resultant set of policy information.
Additional information may have been logged. Review the application event log on the domain controller on which the simulation was run for events between 2/28/2014 10:07:36 AM and 2/28/2014 10:07:36 AM.
Registry Success
Security Success
Info on the Settings Tab of the Modeling Report below.
An error has occurred while collecting data for Scheduled Tasks.
The following errors were encountered:
An unknown error occurred while data was gathered for this extension. Details: Invalid class
If I run the modeling using a 2008 DC to perform the simulation it works fine.
Per the instructions on the Summary Tab regarding the scheduled task failure I look at the event log on the 2003 domain controller and this is what i find.
The event I get on the 2003 DC is 8196 and I will place the details below.
Event Type:   Error
Event Source:           Group Policy Scheduled Tasks
Event Category:        Disk
Event ID:       8196
Date:              2/27/2014
Time:             4:48:47 PM
User:              NT AUTHORITY\SYSTEM
Computer:     <computername>
Description:
The client-side extension caught the unhandled exception '0xC0000005' inside: 'threadEntry : client main' See trace file for more details. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
So, should I be concerned that this is failing on the 2003 DC, does this mean that if my workstations authenticate to my 2003 DC that the preference will not process?
I was reading that in 2003 client side extensions were not there and can be installed, would this make the modeling succeed?
How do I get verified, I tried to post screenshots, but I could not. :(

Hi Jonathan,
As you have found the reason, I want to confirm whether the issue has been fixed.
In fact, for Windows Server 2003 to apply or process Group Policy Preferences settings, we must install client-side extensions of GPP for Windows Server 2003.
Although this is not related to this case, for your information, if our clients are Windows XP or Windows Vista, to use GPP, we must install client-side extensions for these
workstations respectively.
Regarding GPP, the following article can be referred to for more information.
Group Policy Preferences Getting Started Guide
http://technet.microsoft.com/en-us/library/cc731892(v=WS.10).aspx
Best regards,
Frank Shen

Mac book air don't update

Help!! Mac book air don't update - written - some mistake (without number)
What can I do?

Mac book air don't update - written - some mistake (without number)
You'll need to provide more details on the issue, as that description isn't enough to offer any guidance.

Group policy of Trusted Sites don't update on some machines

Similar Messages

Maybe you are looking for