PowerShell: Fixing “Windows could not connect to the Group Policy Client service”

My wife got this error the other day on her Windows 10 machine when trying to login.  After a bit of digging, it seems it’s not unheard of but there’s no clear answer about why it happens (It’s a corrupted / missing set of registry entries.  The cause could be a bad shut-down, crash, interrupted update or pre-cursor to Martian attack.  Who knows.)

I found a good site that provides a solution. To fix the issue you need to create a registry sub-key and value (confusingly, both of the same name) and a pair of values under the sub-key you just created. That cures the problem but there’s no more information about to how to prevent it happening again.

In lieu of a proper preventative solution I wrote a script to perform the changes (with a bit of safety code too) so if it re-occurs I’m good to go.

Script and walk-through after the line.

This was saved as a script (.ps1) file and run to fix the issue;

[CmdletBinding()]
Param()
Write-Verbose "Starting $($MyInvocation.MyCommand)"
$RegistryKey="HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost"
$RegistrySubName="GPSvcGroup"
$RegistryPath=$RegistryKey+"\"+$RegistrySubName
if ((Get-ItemProperty -Path $RegistryKey).$RegistrySubName -eq $Null)
{
    Write-Verbose "Writing $RegistrySubName value"
    New-ItemProperty -Path $RegistryKey -Name GPSvcGroup -Value "GPSvc" -PropertyType MultiString
}else
{
    Write-Verbose "$RegistrySubName value already exists; skipping"
}
if (!(Test-Path -Path $RegistryPath -PathType Container))
{
    Write-Verbose "Writing $RegistrySubName key"
    New-Item -Path $RegistryKey -Name GPSvcGroup
}else
{
    Write-Verbose "$RegistrySubName key already exists; skipping"
}
if ((Get-ItemProperty -Path $RegistryPath).AuthenticationCapabilities -eq $Null)
{
    Write-Verbose "Writing AuthenticationCapabilities value"
    New-ItemProperty -Path $RegistryPath -Name AuthenticationCapabilities -Value 12320 -PropertyType DWORD
}else
{
    Write-Verbose "AuthenticationCapabilities value already exists; skipping"
}
if ((Get-ItemProperty -Path $RegistryPath).CoInitializeSecurityParam -eq $Null)
{
    Write-Verbose "Writing CoInitializeSecurityParam value"
    New-ItemProperty -Path $RegistryPath -Name CoInitializeSecurityParam -Value 1 -PropertyType DWORD
}else
{
    Write-Verbose "CoInitializeSecurityParam value already exists; skipping"
}

It’s a quick-and-dirty script to fix the issue.  I could have made it a function, parametrised it etc but to be honest that would be gilding the lilly 🙂

$RegistryKey="HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost"
$RegistrySubName="GPSvcGroup"
$RegistryPath=$RegistryKey+"\"+$RegistrySubName

I set the parent registry key and the name of the sub-key/value in variables here just to save me retyping them.  It also means I can reuse the code in future if I need to tweak where all these registry settings are located.

if ((Get-ItemProperty -Path $RegistryKey).$RegistrySubName -eq $Null)
{
    Write-Verbose "Writing $RegistrySubName value"
    New-ItemProperty -Path $RegistryKey -Name GPSvcGroup -Value "GPSvc" -PropertyType MultiString
}else
{
    Write-Verbose "$RegistrySubName value already exists; skipping"
}

Get-ItemProperty can be used on any provider;  because I’ve passed it a registry path (“hklm:” at the start) it returns a registry key.  Values on registry keys are returned as properties on an object so I check to see if the value is present first (not $null).

If it’s missing I create it as a multi-string value with the correct value in it.

if (!(Test-Path -Path $RegistryPath -PathType Container))
{
    Write-Verbose "Writing $RegistrySubName key"
    New-Item -Path $RegistryKey -Name GPSvcGroup
}else
{
    Write-Verbose "$RegistrySubName key already exists; skipping"
}

Again, I can use Test-Path on any provider, including the registry.  I want to check for a sub-key rather than the value I just created so I specify the path and the “-PathType Container” option.

New-Item is used to create it if it’s missing (it’s not a registry value so PowerShell doesn’t treat it like an object property).

The rest of the script follows the same pattern.  One additional note is the value used for the AuthenticationCapabilities;  it’s specified in hex in the original article so I had to convert it to decimal for the PowerShell command.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s