![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 0%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Windows for business | Windows Client for IT Pros | Directory services | Deploy group policy objects
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV0%3C/text%3E%3C/svg%3E)
Hi, It’s clear you’ve already done solid groundwork. The Error 87 – The parameter is incorrect in Group Policy processing typically indicates a mismatch or corruption in policy data, often tied to ADMX parsing issues or unsupported policy parameters within a specific extension. Since you mentioned that one of your policies uses the Cisco Duo ADMX, that’s a strong lead to focus on first.
Here are a few next steps to help isolate and resolve the issue:
Validate the ADMX and ADML Versions
Ensure that both the Cisco Duo ADMX and its corresponding ADML (language file) are located in the correct folder:
\<domain>\SYSVOL<domain>\Policies\PolicyDefinitions
Verify that both files are the same version. A mismatch (e.g., outdated ADML) can trigger error 87.
Check for Syntax or Schema Issues
Open the ADMX file in a text editor and look for missing closing tags or invalid parameter types.
You can validate ADMX syntax using Microsoft’s ADMX Migrator tool or the Policy Analyzer from the Security Compliance Toolkit.
Compare Policy GUIDs
The GUID in the XML error log may not correspond directly to a GPO name but rather to a Client Side Extension (CSE) or a specific policy class.
You can cross-reference the GUID in C:\Windows\System32\GroupPolicy\Machine\Registry.pol or use gpresult /h report.html to see which policies failed during processing.
Event Viewer – Operational Logs
Open Event Viewer → Applications and Services Logs → Microsoft → Windows → GroupPolicy → Operational.
Look for events with ID 7016, 7017, or 7018, which often give the failing policy and parameter name.
Test by Removing the Duo ADMX Temporarily
As you mentioned, removing the ADMX and creating equivalent settings using Group Policy Preferences → Registry is a perfectly valid workaround.
If removing the Duo ADMX eliminates the processing error, it confirms that the ADMX schema or its values are not being parsed correctly.
Force a Clean GP Refresh
Run the following to clear cached policies and reapply them:
gpupdate /force
If issues persist, try deleting the contents of %WinDir%\System32\GroupPolicy\Machine and %WinDir%\System32\GroupPolicy\User (carefully) and then re-run gpupdate /force.
If none of the above resolves it, capturing a ProcMon trace filtered for gpsvc and registry operations during GP processing can reveal where it’s failing (e.g., malformed registry value or permission issue).
Given your scenario, I suspect the Duo ADMX is either outdated or incompatible with your current Windows build. Updating it to the latest version or moving to a registry-based configuration should stabilize policy processing.
I hope this helps you move forward with the investigation! 😊
If you find this guidance helpful, please click “Accept Answer” — it lets others in the community know what worked.
Best regards, VP