Wednesday, October 2, 2013

Failed to open the local machine group policy

System Center 2012 Endpoint Protection (SCEP) is build-in ConfigMgr 2012 to manage anti-malware and antivirus on devices. Most of times the product is doing well, and no issues are seen. Last time however there was a policy issue: "Failed to open the local machine group policy". Because of this no SCEP policy was active on the clients. Here's what to do in this situation.

In the ConfigMgr logs folder, there's a filed named: EndpointProtectionAgent.log
In this logfile the error message is displayed to search for.
-Failed to apply the policy C:\Windows\CCM\EPAMPolicy.xml with error (0x80004005)
-Failed to open the local machine group policy (SCEP)
Also in Event Viewer there will be error messages which send you to the right direction.

To fix the error there are a few steps needed:
-Browse to the Windows\System32\GroupPolicy\Machine folder on the client and delete the file: Registry.pol
-Then restart the "SMS Agent Host" service to enforce ConfigMgr download all policies again. Sometimes this is not enough and re-installation of the ConfigMgr client is needed.

After that policies must be applied again well.

Source: SCCM.BIZ


  1. Thanks for the concise solution Henk, I've been seeing dozens of systems with this issue as we seek to remediate "EP - Active clients at risk" reports in ConfigMgr 2012 R2 . I would suggest a reboot following the deletion of the Registry.pol file. Simply restarting the SMS Agent Host wasn't enough for me to successfully run updates on Endpoint Protection.

    1. Your welcome, thanks for comment!
      Is it right that above solution is working for you also?

  2. "gpupdate /force" followed by "net stop ccmexec && net start ccmexec" worked fine for me.

  3. If using software updates through ConfigMgr, you might also trigger all of the schedules right after deleting the file to ensure the machine is patched, especially if this was an ongoing issue for a while. This will most likely induce a restart, which in turn will get all of the policy items to function properly, including machine startup scripts.

  4. The root cause may be due to a missing AV exclusion rule in the SCEP Antimalware Policy settings. Navigate to Assets and Compliance > Endpoint Protection > Antimalware Policies, edit the Default Client Antimalware Policy, and add the following under Exclusion Settings:


    See this blog post for details: