SCEP Policy not applied, access denied (Network Steve Forum)

SCEP Policy not applied, access denied

Since a couple of weeks a lot of clients aren't updating the scep policies. The log EndpointProtectionAgent.log says:

Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml".

Failed to apply the policy C:\Windows\CCM\EPAMPolicy.xml with error (0x80004005).

Save new policy state 2 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState

State 2 and ErrorCode -2147467259 and ErrorMsg Failed to save the local machine Group Policy and PolicyName Antimalware Policy and GroupResolveResultHash 66710FA7810907856F6BE09F07F878807D075CEE is NOT changed.

I've search the internet and found 1 site with the same problem: http://www.mbaeker.de/author/markus/page/3/

The fix doesn't work for me. The Registry.pol file is re-created but the errors still remain.

Is there an easy way to fix this?

Edited by Jopperd Wednesday, October 23, 2013 1:46 PM

October 23rd, 2013 1:45pm

While connected to your network, reboot the machine and let it sit at the login screen. Remotely connect to the event viewer and check for event log entries showing errors applying group policy. They may lead you to other potential causes besides registry.pol becoming corrupted.

Free Windows Admin Tool Kit Click here and download it now

October 23rd, 2013 2:04pm

I've checked it already but the only error in the eventlog after the reboot is:

Eventid: 1001

Source: Microsoft Security Client

Microsoft Security Client failed to apply security policy: "Antimalware Policy". Error: Failed to save the local machine Group Policy. Error Code: 0x80004005.

October 23rd, 2013 2:50pm

When I check what is inside the registry.pol, it contains al the scep settings en some remote control settings. All these are defined by SCCM.

I'm out of options and have no clue why it suddenly stopped working.

Free Windows Admin Tool Kit Click here and download it now

October 25th, 2013 10:23am

Yes, I know this is an old post, but did you figure this out? If so how?

November 2nd, 2013 1:46pm

Yes, I know this is an old post, but did you figure this out? If so how?

Free Windows Admin Tool Kit Click here and download it now

November 2nd, 2013 2:08pm

I clean up any post older that a week. Honestly if you haven't got an answer within a week, you are most likely never going to get one, without calling Microsoft support. (CSS)

BTW, I agree with Nash this is going to be a GPO / Sec policy corruption issue. Personally I would try to reset the local Sec db and see if that fixes the issue.

November 2nd, 2013 6:06pm

MS support helped me fixing this issue. The cause of the problem was a corrupt gpt.ini in c:\windows\system32\grouppolicy

After replacing the file with one that wasn't corrupt from another machine, the problem was gone! All scep policies are now applied fine!

Marked as answer by Jopperd Thursday, January 23, 2014 7:58 AM

Free Windows Admin Tool Kit Click here and download it now

January 23rd, 2014 7:58am

Hi Jopperd, I tried this and it did not resolve my issue. Would you have another suggestion? Thank you.

Proposed as answer by Roberto Bazán 19 hours 47 minutes ago
Unproposed as answer by Roberto Bazán 19 hours 47 minutes ago

September 30th, 2014 8:43pm

Try this:

To fix the error there are a few steps needed:

-Browse to the Windows\System32\GroupPolicy\Machine folder on the client and delete the file: Registry.pol
-Then restart the "SMS Agent Host" service to enforce ConfigMgr download all policies again. Sometimes this is not enough and re-installation of the ConfigMgr client is needed.

After that policies must be applied again well.

http://henkhoogendoorn.blogspot.nl/2013/09/failed-to-open-local-machine-group.html

Free Windows Admin Tool Kit Click here and download it now

July 14th, 2015 8:04am

This topic is archived. No further replies will be accepted.