none
GPO Software Installation can not be assigned.

    Question

  • I have a Windows 2008 R2 domain, that I have just setup a computer configuration GPO to install CryptoPrevent software.  I have followed all the correct steps but can not get it to install on Windows 7sp1 x64.  I have been searching the internet for a possible solution for over a week, but to no avail.  In the client's event viewer, I'm getting event id's 101, 103, 108, and 1112.  I've applied all the suggested fixes, but no joy:

    - Disabled UAC
    - Changed the Startup Policy Processing wait time to 30, 90, 120
    - Enabled "Always wait for network at computer startup logon"
    - Changed spanning-tree to portfast on switch port

    I have also verified the user account and computer account have access to the MSI and can run it from command line.  I also have setup debug logging on the GPSvcLog and AppMgmtLog, but didn't catch anything.  What am I missing!?!??!?.

    Thanks,

    Jeremy

    Monday, June 15, 2015 6:32 PM

All replies

  • Hi Jeremy,

    Would you please check if the gpo got applied on the clients? Did you reboot the clients and then have a check?

    If possiable please share us the Rsop report then we may have a clear look on the problem.

    Looking farward to your feedback.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 16, 2015 7:55 AM
    Moderator
  • > event id's 101, 103, 108, and 1112.
     
    I cannot recall what these events indicate - please post them :)
     
    > I have also verified the user account and computer account have access
     
    How did you verify computer accounts have access?
     
    > logging on the GPSvcLog and AppMgmtLog
     
    AppMgmt Logging is broken since Windows 8, and no one had a business
    case big enough to make MSFT fix it.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, June 16, 2015 8:40 AM
  • Thanks for the reply! Yes, I've rebooted multiple times and checked after every time with gpresult.  Here is the scrubbed RSOP text.  Let me know if you need anything else.

    RSOP data for CON\dauser on LT0350 : Logging Mode
    --------------------------------------------------
    OS Configuration:            Member Workstation
    OS Version:                  6.1.7601
    Site Name:                   HQ
    Roaming Profile:             N/A
    Local Profile:               C:\Users\dauser
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------ 
        Last time Group Policy was applied: 6/16/2015 at 8:20:20 AM
        Group Policy was applied from:      DC01.contoso.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        CON
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Contoso ENFORCED Domain Policy
            CryptoPrevent Installer
            Contoso Default User Policy
            Contoso Default Domain Policy
            Contoso Default Workstation Policy
            Power Profile Win7
            Local Intranet Sites
            Trusted Sites
            Firewall Settings Win7
            Windows Remote Management
            Power Mgmt Settings Win7
            PowerShell Execution Policy
            Google Chrome Settings

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Contoso Favorites
                Filtering:  Not Applied (Empty)

            Redmond Printers
                Filtering:  Not Applied (Empty)

            Power Profile WinXP
                Filtering:  Denied (WMI Filter)
                WMI Filter: WinXP

            Blocked Applications
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            LT0350$
            System Mandatory Level

    USER SETTINGS
    --------------
        CN=User\, Dumb A,OU=IT GPO Testing,OU=Redmond,OU=Locations,DC=contoso,DC=local
        Last time Group Policy was applied: 6/16/2015 at 8:20:20 AM
        Group Policy was applied from:      Odin.Contoso.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        CON
        Domain Type:                        Windows 2000
       
        Applied Group Policy Objects
        -----------------------------
            Redmond Public Drive
            Contoso Default User Policy
            Contoso Default Domain Policy
            Blocked Applications
            Contoso Favorites
            Windows Remote Management
            PowerShell Execution Policy
            Redmond Printers

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Google Chrome Settings
                Filtering:  Not Applied (Empty)

            Contoso ENFORCED Domain Policy
                Filtering:  Not Applied (Empty)

            Power Profile WinXP
                Filtering:  Denied (WMI Filter)
                WMI Filter: WinXP

            Local Intranet Sites
                Filtering:  Not Applied (Empty)

            Firewall Settings Win7
                Filtering:  Not Applied (Empty)

            Power Profile Win7
                Filtering:  Not Applied (Empty)

            Power Mgmt Settings Win7
                Filtering:  Not Applied (Empty)

            Contoso Default Workstation Policy
                Filtering:  Not Applied (Empty)

            Trusted Sites
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            High Mandatory Level

    Tuesday, June 16, 2015 8:58 PM
  • Thanks for the reply!  Here is a list of the events:

    Event 101 - Application Management Group Policy - The assignment of application %1 from policy %2 failed. The error was : %%1274

    Event 103 - Application Management Group Policy - The removal of the assignment of application %1 from policy %2 failed.  The error was : %%2

    Event 108 - Application Management Group Policy - Failed to apply changes to software installation settings. %1 The error was : %%1274

    Event 1112 - Group Policy - The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy Processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

    I don't have any Windows 8 machines on my domain.  As far as the logs, here are the links that I used to configure them.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics] 
    "GPSvcDebugLevel"=dword:00030002

    Microsoft KB 249621

    Tuesday, June 16, 2015 9:50 PM
  • > Event 101 - Application Management Group Policy - The assignment of
    > application %1 from policy %2 failed. The error was : %%1274
     
    This simply indicates that SW installation will not happen during a
    "gpupdate", but only at startup or logon.
     
    > Event 103 - Application Management Group Policy - The removal of the
    > assignment of application %1 from policy %2 failed. The error was : %%2
     
    %2 is "File not found". Which file? Unknown...
     
    > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    > NT\CurrentVersion\Diagnostics]
    > "GPSvcDebugLevel"=dword:00030002
     
    This only configures debug logging for the group policy service itself.
    What we would need is AppMgmtDebugLevel - but this one is broken...
     
    Just to make sure:
     
    http://gpsearch.azurewebsites.net/#340 is enabled and set to 0 (zero)?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, June 17, 2015 9:30 AM
  • Martin,

    I checked the links you listed and updated my GPO's to remove slow link detection, but it didn't resolve the issue.

    Wednesday, June 17, 2015 3:58 PM
  • > I checked the links you listed and updated my GPO's to remove slow link
    > detection, but it didn't resolve the issue.
     
    Then I|m out of luck... I can confirm that it DOES work. I cannot guess
    why it doesn't in your environment. And since AppMgmtDebugLevel is
    broken, there's little to look after. You might enable Installer Logging
    via GPO ("voicewarmup") and then check %Windir%\Temp for MSI*.TMP files.
    But this only helps if Installer is fired up during AppMgmt GPO processing.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, June 17, 2015 4:10 PM

  • I know Martin said that AppMgmtLog is broken as of Windows 8, but I'm not using Windows 2012 as a DC or Windows 8 in my environment.  Here is an excerpt of the AppMgmtLog from my Windows 2008r2 DC:

    06-17 10:56:08:055
    Software installation extension has been called for background policy refresh
    The following policies are to be applied, flags are 91.
        Contoso Default Workstation Policy (unique identifier {29B0BBBC-9412-4B72-98EC-89BBC40ABCEE})
            System volume path = contoso.local\SysVol\contoso.local\Policies\{29B0BBBC-9412-4B72-98EC-89BBC40ABCEE}\Machine
            Active Directory path = CN=Machine,cn={29B0BBBC-9412-4B72-98EC-89BBC40ABCEE},cn=policies,cn=system,DC=Contoso,DC=local
    Set the Active Directory path to CN=Class Store,CN=Machine,cn={29B0BBBC-9412-4B72-98EC-89BBC40ABCEE},cn=policies,cn=system,DC=Contoso,DC=local;.
    Policy has not changed.  Only assigned applications will be advertised.
    Enumerating the managed applications which are currently applied to this user.
    No managed applications are currently applied to this user.
    Found 0 applications locally that are not included in the set of applications from the Active Directory.
    Software installation extension returning with final error code 0.
    Software installation extension has been called for background policy refresh
    06-17 11:01:09:967
    Software installation extension has been called for background policy refresh
    The following policies are to be applied, flags are 91.
        Contoso Default Workstation Policy (unique identifier {29B0BBBC-9412-4B72-98EC-89BBC40ABCEE})
            System volume path = contoso.local\SysVol\contoso.local\Policies\{29B0BBBC-9412-4B72-98EC-89BBC40ABCEE}\Machine
            Active Directory path = CN=Machine,cn={29B0BBBC-9412-4B72-98EC-89BBC40ABCEE},cn=policies,cn=system,DC=Contoso,DC=local
    Set the Active Directory path to CN=Class Store,CN=Machine,cn={29B0BBBC-9412-4B72-98EC-89BBC40ABCEE},cn=policies,cn=system,DC=Contoso,DC=local;.
    Policy has not changed.  Only assigned applications will be advertised.
    Enumerating the managed applications which are currently applied to this user.
    No managed applications are currently applied to this user.
    Found 0 applications locally that are not included in the set of applications from the Active Directory.
    Software installation extension returning with final error code 0.

    I found a web page,  that suggested, for a similar issue, to re-register the Client-side extensions.  When I tried that the APPMGMTS.DLL failed with the following message:

    The module "appmgmts.dll" was loaded but the entry-point DllRegisterServer was not found.  Make sure that "appmgmts.dll" is a valid DLL or OCX file and then try again.

    Wednesday, June 17, 2015 7:24 PM
  • > Enumerating the managed applications which are currently applied to this
    > user.
    > No managed applications are currently applied to this user.
     
    Seems AppMgmt fails to see you assigned applications?!?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, June 18, 2015 9:01 AM