GPOs do not apply on Windows 10 Enterprise x64

All replies

• 

  

  0

  Sign in to vote

  Hi Robinion,

  Thanks for your post.

  This problem is directly related to the group policy settings that Microsoft recommended to harden group policy, and is outlined in MS15-011 and MS15-014. And according to Keith Brewer explianed, if only Mutual Authentication is required and the connection is failing with STATUS_NETWORK_ACCESS_DENIED, then the client is likely experiencing issues with Kerberos authentication.
  You need to identify why Kerberos authentication is not being utilized. If you can repro this issue by running “gpupdate”, a network trace may help during that time as a start. It could be anything from DNS configuration errors, firewall configuration errors, Kerberos SPN configuration errors, etc.  

  Please check the article for more details.

  http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

  Best Regards,

  Mary Dong

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Monday, September 14, 2015 7:27 AM
• 

  

  0

  Sign in to vote

  Hello,

  and thank you for the comment. I still don’t get a grip on this problem. When I install Microsoft Network Monitor and run it after a reboot and then executing gpupdate /force the update of GPOs fails. The GUID mentioned in the error message is the one of the Default Domain Policy. Of course I get a network trace but I don’t have any idea what I should even search for in there.

  It’s for sure not a network or DNS problem as all our Windows 7 workstations in the environment run just fine all the time. No issues there.

  I checked this hardening article but we do not even have this feature enabled anywhere. For testing I disabled the firewalls on our DCs as well without any success.

  No idea what I should do next.

  Regards

  Robert

  Monday, September 14, 2015 10:26 AM
• 

  

  0

  Sign in to vote

  We have almost the same issue.

  The problem occures when we logon from a different VLAN.

  Wifi is VLAN 80 a kabled connection on VLAN 80 also results with this same problem.

  30 sec later we can get to the file. GPUpdate / force result in the correct GPO's and user scripts.

  But the machine script won't run with user credentials.

  Windows 10 Enterprise

  On the regulair VLAN there is no problem.

  thanks

  Martijn

  Wednesday, October 7, 2015 1:01 PM
• 

  

  5

  Sign in to vote

  Hello,

  I opened a Support case to Microsoft about Windows 10 and this UNC hardening which is disabled by Default in Windows 7 to 8.1 but enabled in Windows 10.

  Support confirmed that there is a bug in Windows 10 and they will provide a hotfix one day they have fixed it. Until now the only Workaround is to disable the UNC hardening for netlogon and sysvol Shares in the registry.

  Regards

  Robert

  • Marked as answer by Mary Dong Thursday, October 8, 2015 1:25 AM

  Wednesday, October 7, 2015 1:28 PM
• 

  

  0

  Sign in to vote

  nice!

  How do i disable the UNC hardening for netlogon and sysvol Shares in the registry?

  Regards,

  Martijn

  Wednesday, October 7, 2015 2:17 PM
• 

  

  4

  Sign in to vote

  Hi Martijn,

  its described in this KB article how it's done but in a nutshull you've to add two registry keys which disable UNC hardening for both of the shares. I do this by adding the following commands to our OS deployment BEFORE joining the machine to the domain:

  %COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ

  %COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ

   

  Hope this helps. If you have furhter questions just let me know.

  Cheers

  Robert

  
  
  
  

  • Edited by Robinion Thursday, October 8, 2015 5:27 AM

  Thursday, October 8, 2015 5:26 AM
• 

  

  2

  Sign in to vote

  Hi Robert,

  I have solved the issues thanks.

  2 problems at the same time confused me.

  Our Windows 8.1 clients had GPO issues for a about 1 week and the Windows 10 clients had GPO issues.

  The problems only accrued on our Wifi (different VLan)
  
  

  Windows 8.1 had to do with a Windows update, and Microsoft Update KB3083711 and KB2976978 fixed the issues. The clients now are able to use the GPO’s with computer startup scripts.

  Windows 10 GPO issues on our Wifi Vlan are fixed with the UNC Hardening GOP

  Settings:

  \\*\NETLOGON  RequireMutualAuthentication=0,RequireIntegrity=0

  \\*\SYSVOL RequireMutualAuthentication=0,RequireIntegrity=0

  Martijn

  Thursday, October 8, 2015 11:34 AM
• 

  

  0

  Sign in to vote

  
  

  Hello,

  I am experiencing the same problem with Windows 10 but in my case disabling UNC hardening in the registry has not improved the situation. I found that enabling "Always wait for the network at computer startup and logon" in group policy oddly seems to have resolved the issue on some but not all machines. Machines where this is a problem do not map network drives at login after a reboot and have the same inability to read the gpt.ini file from the domain controller for 10-30 seconds and in the group policy log it fails with error code 65. Additionally, after logging in there is sometimes a DNS error in the system log that says the system failed to register host resource records. This issue is only effecting our Windows 10 machines. Any assistance with resolving/troubleshooting this issue would be greatly appreciated.

  Thanks,

  Chris

  Wednesday, January 13, 2016 12:17 AM
• 

  

  0

  Sign in to vote

  I am also experiencing this only on Windows 10.  I have found that updating the Network Drivers sometimes helps and sometimes doesn't.    My most frustrating box will run the startup script the first time after joining the domain, and all future startup it fails.  I have had the Wait for Network GPO set for ages so I know that it helps, but for some Windows 10 boxes, its like it completely ignores the wait setting.  Any one else experiencing this problem please post, or if you have any suggestions I'm all ears.

  Tuesday, January 26, 2016 12:04 AM
• 

  

  1

  Sign in to vote

  I am experiencing the exact same problem. I've managed to resolve it by setting the registry settings above on a test client, works fine after that. Lets hope MS Patch it soon!

  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
  "\\*\SYSVOL"
  "RequireMutualAuthentication=0"

  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths "\\*\NETLOGON"
  "RequireMutualAuthentication=0"

  Tuesday, January 26, 2016 7:49 AM
• 

  

  0

  Sign in to vote

  Any update on a proper MS fix??

  Thursday, February 11, 2016 12:32 PM
• 

  

  0

  Sign in to vote

  MS support told me it was fixed in Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB3140768).  I tried that CU, but no luck.  My wired clients are better, but wireless are still experiencing the same issue, so I am back to disabling UNC hardened paths.

  Thursday, March 17, 2016 4:55 PM
• 

  

  0

  Sign in to vote

  Rubbish.... Anyone had success with this update?

  Monday, March 28, 2016 3:22 PM
• 

  

  1

  Sign in to vote

  Hello,

  I have exact the same issue.

  My Windows 10 Pro machine is generation event 1058 at boot, so no computer gpo's are set.

  The fix with the un-hardening for sysvol and netlogon, didn't work.

  I spent 2 days  to assing some gpo to use the laptops in the HQ with roaming profile and folder redirection and without when they are outside on a branch office.

  I first thought that my policy's where wrong, so I recreated them.

  I assinged the different sites with WMI-filters and with gpo linked to the sites.

  I saw that the policy's where not applied.

  When  we where logged in, we can do a gpupdate /force and then they are changed.

  So when I look harder in the logs, I saw the event 1058.

  So the computer tries to read the first polocy, ,got an error and stops with the other policy's.

  I already changed which gpo was the first are nog, only the error is the same.

  I called MS Belgium today, but because I don't have SA or a cotnract, I must pay for resolving this bug.?!?  The first technician said that for sure my network was wrong configured.  When I enforced that I was not the only one having this problem and that the W7 machines where working like expected, the argument was that only the few bad things of W10 can be found, but not the good things.

  I need working gpo's at boot...  Someone another solution yet?

  Because I lost a lot of time, I considering to isntall W7 on that machine as a temmp solution.

  Friday, April 1, 2016 3:02 PM
• 

  

  2

  Sign in to vote

  MANY THANKS!

  this has been pissing me off for months now!!! I re-ran in wall network cabling to try and solve this issue. I tried many different network driver versions. I reconfigured the switches, i investigated registry keys, i blamed UEFI, i was about to rebuild the domain controllers....

  Network access is denied YET i can see the god damn gpt.ini file on the domain controller fine!!!... All because of this poorly documented "feature". my god...

  Half my GPOs would apply, and the other half would not. Or sometimes, all would apply! and everything would be perfect. Sometimes nothing would apply. I could image two machines at the same time, same model and one would work and the other would not. I could then re image the one that didnt work and sometimes it would start getting policy and work fine!!! The other thing was it was never just one policy that failed, it would be a random GUID every time.
  

  This was a horrible issue. Only affected windows 10. Intermittent, sporadic, basically the worst issue to narrow down.

  If I hadn't hit on the right search terms and found this thread I would have never solved it. The key was "network access is denied" and gpt.ini , that finally got me results. I really thought it was my environment causing this, but of course, its gimpy, broken out of the box win10.

   This fixed worked fine and i am now putting these registry keys into my image. Just another windows 10 workaround to document, remember and maintain. and i can confirm its not fixed in 1511. I am at latest build. Sigh...

  win10, oh how i hate thee...

  Oh i also added the following to maybe fix the WDS "network issues" problem i have also been having with only win10 clients...

  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\wds" /d "RequireMutualAuthentication=0" /t REG_SZ 

  
  

  Wednesday, April 20, 2016 9:16 PM
• 

  

  0

  Sign in to vote

  Our build contains KB3140768 and we're still seeing the issue on some machines (looks like it might just be on newer hardware with SSDs) - the reg workaround does seem to help though.

  Tuesday, May 3, 2016 1:31 PM
• 

  

  0

  Sign in to vote

  So.. windows 10 is more secure than previous versions, and all you can do is complain because you actually had to do your job and administer it?

  You are not someone I want working for me.

  Thursday, May 5, 2016 4:19 PM
• 

  

  0

  Sign in to vote

  This is true. I have the same problem.

  ---

  Carlos Jefferson Administrador de Infraestrutura e Segurança

  Thursday, June 16, 2016 6:53 PM
• 

  

  0

  Sign in to vote

  So.. windows 10 is more secure than previous versions, and all you can do is complain because you actually had to do your job and administer it?

  You are not someone I want working for me.

  ??? really dude? sounds more like microsoft didn't think about current environments and lacks a proper test cycle or QC team at times.  pretty major thing to eff up.   and why the heck did you even leave a post on this if you can't contribute.  the fact that they offer a hotfix means it was an eff up on their side so yea.

  to those who actually offered solutions/fixes; thank you.  so far the registry fix didn't help in our environment but i will be doing more testing.

  Thursday, June 23, 2016 3:55 PM
• 

  

  0

  Sign in to vote

  https://support.microsoft.com/en-us/kb/3000483

  Minimum recommended configuration for domain-joined computers

  We recommend that all NETLOGON and SYSVOL shares be configured to require both mutual authentication and integrity in order to help secure Group Policy against spoofing and tampering attacks that can be leveraged to achieve remote code execution. 
  
  Hardened UNC paths

  Value name	Value
  \\*\NETLOGON	RequireMutualAuthentication=1, RequireIntegrity=1
  \\*\SYSVOL	RequireMutualAuthentication=1, RequireIntegrity=1

  Friday, July 8, 2016 5:42 PM
• 

  

  0

  Sign in to vote

  We are running Windows 10 Enterprise and I implemented the UNC hardening as MS recommended. I too had issues with Group Policies not applying but it was not impactful as I only tested it against a single machine. It took me awhile to realize the version of Windows 10 I was on is prior, I believe, to the fix that was included in a cumulative update. As soon as I applied https://support.microsoft.com/en-us/kb/3163018 GP started processing at login.

  Tuesday, July 12, 2016 3:40 PM
• 

  

  0

  Sign in to vote

  We faced issue GPO policies not apply to Windows 10 due to Windows 10 GPO Templates are not there on Domain Controllers

  http://www.windowstricks.in/2016/07/group-policy-setting-not-applying-windows-10-computers.html

  Also check Microsoft security patch MS16-072, after patch GPO stop worked due to security setting 

  http://www.windowstricks.in/2016/06/group-policy-not-applyingworking-patching-gpo-permission-issues.html

  ---

  Regards www.windowstricks.in

  Monday, July 18, 2016 4:46 AM
• 

  

  1

  Sign in to vote

  I went ahead and completely removed the Technical Preview July 12/2016 (breaks a multitude of paths for updates, GPO’s, SAP connections, shares, etc)

  KB3172985

  https://support.microsoft.com/en-us/kb/3172985

  ended up with version 10.0.10586 Enterprise

  Monday, July 25, 2016 7:13 PM
• 

  

  0

  Sign in to vote

  I went ahead and completely removed the Technical Preview July 12/2016 (breaks a multitude of paths for updates, GPO’s, SAP connections, shares, etc)

  KB3172985

  https://support.microsoft.com/en-us/kb/3172985

  ended up with version 10.0.10586 Enterprise

  Please read this.

  It will also solve issues to others who got broken gpo after this update.

  https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/

  
  

  • Edited by iosysss Tuesday, July 26, 2016 8:55 AM

  Tuesday, July 26, 2016 8:54 AM
• 

  

  0

  Sign in to vote

  In windows 10 Enterprise ver 10.0.10586 (1511), removing kb3172985 allowed local admins to pass all policies without issues (authenticated users, and domain computers are READ allow in delegation), but fails to apply policies for standard users. I also try the command lines for sysvol and netlogon, and did not improve. Adding the usernames into groups either. 

  Is definitely a change with 10.0.10586 and group policy.  The %username% variable can not longer be passed into the standard user environment, while still works for a user with local administrators membership.

  Tuesday, July 26, 2016 12:45 PM
• 

  

  0

  Sign in to vote

  Ive searched and scowered the internet for 6  hours now about this issue.  Ive tried the registry edit, ive tried recreating the GPOs, ive tried removing 'authenticated users' out of the GPOs security filtering and have tried every combination of either 'authenticated users' or 'domain computers' listed under the Delegation tab as 'Read', ive made the registry edit before joining the laptop to the domain and it still doesnt work, on and on and on and on. 

  Where I am at right now is that I have the following GPOs: Default Domain Policy, SCCMFirewall, Student Logon GPO and "vDesktop and Office 2010 Settings".   A Windows 10 machine will see the Student Logon and the vDesktop policies (they are denied cause their not applicable to logins im trying out, but it sees them), but they will not see or apply the "Default Domain Policy" or the "SCCMFirewall" policy. The Windows 7 machine right next to me that im using to check and make sure I dont break anything sees everything and accepts or denies them every time.

  "Student Logon" applies to a specific user group, and "vDesktop" appiles to a few specific users.   I had Default Domain Policy and SCCMFirewall applied to 'Authenticated Users' but I had read somewhere about this whole issue that you cant have that so I changed them both to Domain Users.    From what all I can tell I have the same Delegations listed under the two working ones as I do the two that arent being read. 

  Havent started using Windows 10 yet where I work, but this cart of 30 laptops I need to reimage was going to be the test run of an image I built over the summer. Image isnt the issue because im experiencing all the same issues on a laptop I have here that Im doing the testing on that wasnt cloned with that image. Have all my Windows Updates.    Ive already wasted a day researching this. These laptops are getting Win7 and so is everything else going forward as long as I work in this county if I cant figure this out in a days time. 

  THANKS!!!!

  Friday, September 2, 2016 6:46 PM
• 

  

  2

  Sign in to vote

  I'm not sure if others are still having this problem, but something I discovered was that access via netbios (not fqdn) name to \\domain\netlogon and \\domain\sysvol are not available for about 50 seconds after login.  I put a login script for a user that just loops over a test for "if not exist \\domain\netlogon\. " and echoing the date/time to a log.  It takes about 50 seconds for SOME of my machines to pass this test.  During the time, the desktop appears, and the login script keeps churning.  Opening a command prompt, I find I can access \\domain.loc\netlogon just fine, so there is something in probably netbios name resolution.  It MIGHT be the lmhosts service - still trying to track it down.  If I disable that service entirely, I never run the login script.  If I query it while the failure is happening, it's running apparently though who knows if there is a negative cache or initialization occurring.  Stopping the service after it's functioning does not produce the failure.

  Thursday, February 16, 2017 12:48 AM
• 

  

  0

  Sign in to vote

  How did you open the support case? Did you have to pay? I've found a bug in Windows 10 and the only way (even after my license re seller tried as well) to report this was to open a case and pay. 

  Friday, May 5, 2017 1:15 PM
• 

  

  0

  Sign in to vote

  We are seeing this with windows 7 clients, group policy not consistently coming down with UNC hardening on.

  We put a ticket in with Microsoft (we pay to have a 5 pack of support cases available to us).  They confirmed after a few days of looking at various things it's a bug.  They wouldn't give me a bug number, nor anyway to track if it's ever fixed in an upcoming patch made available.   I believe because they're calling it a bug they have not "charged us" for one of our 5 support cases.

  I'm still hoping to find some way to get alerted if this is ever fixed.   I bet a whole bunch of Microsoft customers who have UNC hardening on don't realize their policies aren't consistently coming down.

  
  

  Monday, May 8, 2017 11:29 AM
• 

  

  0

  Sign in to vote

  How do you apply these settings. I'm faced with the same problem and I don't know how to apply the settings you suggested.

  Tuesday, July 25, 2017 1:02 PM
• 

  

  0

  Sign in to vote

  Hi! Is there any solution with this error? We experiencing the same issues with 10.0.15063.540 now. Is there still no fix after all this time?

  Thanks!

  Monday, September 11, 2017 8:12 PM
• 

  

  0

  Sign in to vote

  Any further news on this fix coming?  Running Win10 1703 OS Build 15063.632 and still needing to disable UNC path hardening to \\*\SYSVOL to make things work consistently. 

  Wednesday, October 4, 2017 10:24 AM
• 

  

  0

  Sign in to vote

  LTSB 2016 14393.1770 Still get this on random clients accessing GPO from Server 2012 R2 domain None of the W7 clients exhibit the problem So going forward, does it mean going backwards in MS terms? Seb

  Tuesday, November 7, 2017 7:15 PM
• 

  

  0

  Sign in to vote

  Hello all, just wondering what the current update was regarding this issue? Is the recommendation still to disable UNC hardening on the server shares?

  I am running Win 10 1709 Build 16299.248 on 25 Dell Optiplex 7440 AIO's, and the students printers do not get mapped to their user account maybe 1 out of 30 times. I believe its related as I am seeing GPO processing error 1508 in the event viewer.

  Friday, March 2, 2018 6:05 PM
• 

  

  0

  Sign in to vote

  Hi!

  We have a few laptop in our company, with the same error (Windows 10 Pro, 16299.251). The error only appearing when the laptop is on WIFI connection and after a couple of minutes the gpupdate /force command is working properly. I just set the UNC hardening for the sysvol and the netlogon folders to RequireMutualAuthentication=0, maybe this will solve the problem. I am curious when will Microsoft fix this problem.

   

  Friday, March 9, 2018 9:29 AM
• 

  

  0

  Sign in to vote

  David_ai, thanks for the update. I tried the UNC hardening fix and it did not resolve my issue. What seems to be working for me is to change the path of the printer server share to INCLUDE the FQDN of the server name. So when I use GPO to deploy printers via user preferences, it is shared as \\server\printername, so I changed the UNC path to be \\server.domain.com\printername. 

  I have no idea why this resolved the problem for me, and I'm not 100% that it has, but after a couple of days, I have not had a printer fail to map. I believe my problem is slightly different than most, and something due to DNS or name resolution issues in our environment. Sometimes I try to path over to \\domain.com\ and I get an error that it is not found. Which should never happen in my opinion, and it sounded exactly like the UNC hardening issue.

  Good luck all!

  Thursday, March 15, 2018 1:32 PM
• 

  

  0

  Sign in to vote

  Looks as this setting/s also create troubles with AGPM in Windows 2016. You cannot create new GPO's, check in GPO's and create templates. Although on 2012R2 all is working as a charm, with latest version AGPM is not usable anymore. Please Microsoft, solve this buggy update.

  Wednesday, April 4, 2018 3:47 PM
• 

  

  0

  Sign in to vote

  Windows 10.0.16299.309 Pro (with SSD) also have this issue! (Event ID 1058, ErrorCode 0)
  

  Why Microsoft do not fix this bug?

  
  
  

  • Edited by mst-user Friday, April 6, 2018 3:35 PM

  Friday, April 6, 2018 3:31 PM
• 

  

  0

  Sign in to vote

  I think they do not read their own forums... :-(

  Monday, April 9, 2018 9:08 AM
• 

  

  0

  Sign in to vote

  Fresh Windows 10.0.17134.1 also have this issue...
  

  Thursday, May 3, 2018 10:16 AM
• 

  

  0

  Sign in to vote

  I faced against the same issue, but finally I got my machines back using the network assistant from control panel (control.exe => System => Computer name, domain and workgroup settings => Change settings => Network ID)

  Call me old fashioned, but it seems to me that the control panel is working much better than the new shit called "settings" in W10. (It ain't be worth the name!)

  I hope, this helps.

  Best regards (except Microsoft)

  Friday, August 10, 2018 2:11 PM
• 

  

  0

  Sign in to vote

  Windows 10, 1909 (Version 10.0.18363.657) still have this issue...

  https://social.technet.microsoft.com/Forums/azure/en-US/675cc8e8-71c5-4ccd-b628-a06232d9d35b/group-policy-error-1058-1130-7017

  Wednesday, February 19, 2020 12:18 PM
• 

  

  0

  Sign in to vote

  Disabling NetBios was fixing the issue for me

  Thursday, May 14, 2020 1:47 AM