none
Group Policy is not applying on Windows 10 Systems.

    Question

  • Hello Friends,

    Domain Controller Server OS : Windows 2008 R2, and recently added Windows 2012 Domain Controller servers. 

    Functional Level (F/D) : Windows 2003.

    I am facing very strange issue in our environment, i found that Group Policies are not applying on few Windows 10 systems however same is fine on systems located at same site. While troubleshooting i found that from problematic system \\Domainname\Sysvol and \\Domainname\netlogon shares are not accessible, i can browse till \\domainname but when i click on Sysvol or Netlogon share it is asking for password and even i provide right password i am getting Access Denied message.

    Below is the error.

    ----------------------------------------------------------------------------------------------------------------------------------------------

    PS C:\> gpupdate /force
    Updating policy...

    Computer policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows attempted to read the file \\MyDomain\sysvol\MyDomain\Policies\{XXXXX
    XXX-XXX-XXXX-XXXX-XXXXXXXXXXXX}\gpt.ini from a domain controller and was not successful. Group Policy settings may not
    be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following
    :
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domai
    n controller).
    c) The Distributed File System (DFS) client has been disabled.
    User Policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows attempted to read the file \\MyDomain\sysvol\MyDomain\Policies\{XXXXX
    XXX-XXX-XXXX-XXXX-XXXXXXXXXXXX}\gpt.ini from a domain controller and was not successful. Group Policy settings may not
    be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following
    :
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domai
    n controller).
    c) The Distributed File System (DFS) client has been disabled.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access informati
    on about Group Policy results.

    ----------------------------------------------------------------------------------------------------------------------------------------------

    Now there is workaround available to resolve this issue, as suggested on multiple forums we have to add following registry entries on client systems and as of now there is no hotfix available, as per those forum MS already confirmed that this is bug and suggested registry trick, after adding below reg entries my issue resolved.

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ

    https://wibier.me/windows-10-group-policy-objects-gpo-not-applied/
    https://social.technet.microsoft.com/Forums/en-US/6a20e3f6-728a-4aa9-831a-6133f446ea08/gpos-do-not-apply-on-windows-10-enterprise-x64?forum=winserverGP

    As per MS this UNC Hardening is by default enabled in Win 10 systems, and we need to disable the same using registry so my question is...

    1) Why this issue is occurring on few Windows 10 systems only.

    2) Adding registry key on multiple systems is not feasible, also we can not add that in GPO as clients are not able to access Sysvol new GPO will never apply, and as stated issue is not coming on all W10 systems and identifying the problematic client systems is not possible.

    3) Is there anything i can do from Domain Controllers side.

    4) Is there any HotFix released recently for clients which can cause this type of issues.

    Regards,

    Shyam H.


    MCP, MCTS


    • Edited by Hi_SGH Tuesday, March 28, 2017 8:21 AM
    Tuesday, March 28, 2017 8:20 AM

All replies

  • Hi Shyam,
    As far as I know, this problem seems to be caused by MS15-011 and MS15-014 updates that harden the Group Policy process. If some other windows 10 clients are working well, they may not be the build 1067 version.
    Based on my research, it seems that we need to wait the hotfix, now the only workaround is to disable the UNC hardening for netlogon and sysvol Shares in the registry. So I would suggest you modify the registry on the problematic clients one by one.
    In addition, please make sure the clients are fully updated in time which would fix some problems in each patch, you could also open up a case with Microsoft Technical Support to see if they could get more information of hotfix from product team regarding this problem: https://support.microsoft.com/en-us/contactus/?ws=support
    We will also keep our eyes on it to update you as soon as we have any information.
    Thank you for the understanding.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 29, 2017 5:22 AM
    Moderator
  • Thanks Wendy,

    I can see MS15-011 is installed on our Domain Controller however for Windows 10 there is no HotFix available, so question is, is this hotfix can cause issues for Windows 10 clients even it is installed on DC's? same case if for MS15-14 no download for Windows 10, however this KB is not installed on our DC's...


    MCP, MCTS

    Wednesday, March 29, 2017 9:17 AM
  • Below is the build version for four working and non working systems.

    Working : 1607, Non Working :1511, Working : 1511, Non Working : 1607

    Here system having 1607 and 1511 both getting GPO without any issue... but other two systems with same build not getting GPO.


    MCP, MCTS


    • Edited by Hi_SGH Wednesday, March 29, 2017 10:04 AM
    Wednesday, March 29, 2017 9:45 AM
  • Hi,
    Not sure if some updates are causing the different behavior on windows 10 machines, it need related team to confirm that. And I am sorry for the inconvenience which the problem brought to you, based on my research, I am afraid that we are still need to wait for the hotfix, if we get any new information from related team, you will be updated soon. Thank you for the understanding.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 03, 2017 2:18 AM
    Moderator
  • > The processing of Group Policy failed. Windows attempted to read the file \\MyDomain\sysvol\MyDomain\Policies\{XXXXX
    > XXX-XXX-XXXX-XXXX-XXXXXXXXXXXX}\gpt.ini from a domain controller and was not successful. Group Policy settings may not
    > be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following
     
    There's no security fix involved. Simply repair sysvol replication.
     
    Monday, April 03, 2017 11:52 AM
  • We are setting this with win7 x64 since enabling UNC hardening.  Similarly, issues go away if we set mutual auth to 0 on sysvol.  We are trying to troubleshoot issue with Microsoft.
    Tuesday, April 25, 2017 5:49 PM