none
GPOs do not apply on Windows 10 Enterprise x64

    Question

  • Hi there,

    When booting a Windows 10 machine (Lenovo laptop) GPOs are not loaded. Of course I can apply them later on via gpupdate /force.

    When I have a look into the system log I get always an error in there with the ID 1058. Checking the error code in the details says: Network access is denied (error code 65).

    It tries to access a gpt.ini file from the policies but does not get through.

    When I restart the computer, click the link in the error message I get an error that the file cannot be accessed. Nevertheless after about 30 seconds the access to the file just works.

    For me it seems that there is a service pending start which is needed for the domain access. I bet it has to do with DFS as the GPO access works via DFS path(namespace).

    This is quite annoying as the machine policies are not loaded neither the user policies.

    Here the details from the error message:

    Log Name:      System

    Source:        Microsoft-Windows-GroupPolicy

    Date:          10.9.2015 13.19.02

    Event ID:      1058

    Task Category: None

    Level:         Error

    Keywords:     

    User:          xxxxxxx\xxxxxxx

    Computer:      xxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Description:

    The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

    a) Name Resolution/Network Connectivity to the current domain controller.

    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

    c) The Distributed File System (DFS) client has been disabled.

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

        <EventID>1058</EventID>

        <Version>0</Version>

        <Level>2</Level>

        <Task>0</Task>

        <Opcode>1</Opcode>

        <Keywords>0x8000000000000000</Keywords>

        <TimeCreated SystemTime="2015-09-10T10:19:02.977910800Z" />

        <EventRecordID>1318</EventRecordID>

        <Correlation ActivityID="{9C0C77C4-AFC1-4A0E-9BFE-BE698091D73C}" />

        <Execution ProcessID="932" ThreadID="3588" />

        <Channel>System</Channel>

        <Computer>xxxxxxxxxxxxxxxxxxx</Computer>

        <Security UserID="S-1-5-21-1410795398-2781916069-518169928-1178" />

      </System>

      <EventData>

        <Data Name="SupportInfo1">4</Data>

        <Data Name="SupportInfo2">912</Data>

        <Data Name="ProcessingMode">1</Data>

        <Data Name="ProcessingTimeInMilliseconds">421</Data>

        <Data Name="ErrorCode">65</Data>

        <Data Name="ErrorDescription">Network access is denied. </Data>

        <Data Name="DCName">\\xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>

        <Data Name="GPOCNName">cn={3933BE19-C3FF-4C22-9434-B64C654C8B06},cn=policies,cn=system,DC=xxx,DC=xxxxxxxx,DC=xxxxx</Data>

        <Data Name="FilePath">\\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini</Data>

      </EventData>

    </Event>

    Thursday, September 10, 2015 1:03 PM

Answers

  • Hello,

    I opened a Support case to Microsoft about Windows 10 and this UNC hardening which is disabled by Default in Windows 7 to 8.1 but enabled in Windows 10.

    Support confirmed that there is a bug in Windows 10 and they will provide a hotfix one day they have fixed it. Until now the only Workaround is to disable the UNC hardening for netlogon and sysvol Shares in the registry.

    Regards

    Robert

    Wednesday, October 07, 2015 1:28 PM

All replies

  • Hi Robinion,

    Thanks for your post.

    This problem is directly related to the group policy settings that Microsoft recommended to harden group policy, and is outlined in MS15-011 and MS15-014. And according to Keith Brewer explianed, if only Mutual Authentication is required and the connection is failing with STATUS_NETWORK_ACCESS_DENIED, then the client is likely experiencing issues with Kerberos authentication.
    You need to identify why Kerberos authentication is not being utilized. If you can repro this issue by running “gpupdate”, a network trace may help during that time as a start. It could be anything from DNS configuration errors, firewall configuration errors, Kerberos SPN configuration errors, etc.  

    Please check the article for more details.

    http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 14, 2015 7:27 AM
    Moderator
  • Hello,

    and thank you for the comment. I still don’t get a grip on this problem. When I install Microsoft Network Monitor and run it after a reboot and then executing gpupdate /force the update of GPOs fails. The GUID mentioned in the error message is the one of the Default Domain Policy. Of course I get a network trace but I don’t have any idea what I should even search for in there.

    It’s for sure not a network or DNS problem as all our Windows 7 workstations in the environment run just fine all the time. No issues there.

    I checked this hardening article but we do not even have this feature enabled anywhere. For testing I disabled the firewalls on our DCs as well without any success.

    No idea what I should do next.

    Regards

    Robert

    Monday, September 14, 2015 10:26 AM
  • We have almost the same issue.

    The problem occures when we logon from a different VLAN.

    Wifi is VLAN 80 a kabled connection on VLAN 80 also results with this same problem.

    30 sec later we can get to the file. GPUpdate / force result in the correct GPO's and user scripts.

    But the machine script won't run with user credentials.

    Windows 10 Enterprise

    On the regulair VLAN there is no problem.

    thanks

    Martijn

    Wednesday, October 07, 2015 1:01 PM
  • Hello,

    I opened a Support case to Microsoft about Windows 10 and this UNC hardening which is disabled by Default in Windows 7 to 8.1 but enabled in Windows 10.

    Support confirmed that there is a bug in Windows 10 and they will provide a hotfix one day they have fixed it. Until now the only Workaround is to disable the UNC hardening for netlogon and sysvol Shares in the registry.

    Regards

    Robert

    Wednesday, October 07, 2015 1:28 PM
  • nice!

    How do i disable the UNC hardening for netlogon and sysvol Shares in the registry?

    Regards,

    Martijn

    Wednesday, October 07, 2015 2:17 PM
  • Hi Martijn,

    its described in this KB article how it's done but in a nutshull you've to add two registry keys which disable UNC hardening for both of the shares. I do this by adding the following commands to our OS deployment BEFORE joining the machine to the domain:

    %COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ

    %COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ

     

    Hope this helps. If you have furhter questions just let me know.

    Cheers

    Robert




    • Edited by Robinion Thursday, October 08, 2015 5:27 AM
    Thursday, October 08, 2015 5:26 AM
  • Hi Robert,

    I have solved the issues thanks.

    2 problems at the same time confused me.

    Our Windows 8.1 clients had GPO issues for a about 1 week and the Windows 10 clients had GPO issues.

    The problems only accrued on our Wifi (different VLan)

    Windows 8.1 had to do with a Windows update, and Microsoft Update KB3083711 and KB2976978 fixed the issues. The clients now are able to use the GPO’s with computer startup scripts.

    Windows 10 GPO issues on our Wifi Vlan are fixed with the UNC Hardening GOP

    Settings:

    \\*\NETLOGON  RequireMutualAuthentication=0,RequireIntegrity=0

    \\*\SYSVOL RequireMutualAuthentication=0,RequireIntegrity=0

    Martijn

    Thursday, October 08, 2015 11:34 AM

  • Hello,

    I am experiencing the same problem with Windows 10 but in my case disabling UNC hardening in the registry has not improved the situation. I found that enabling "Always wait for the network at computer startup and logon" in group policy oddly seems to have resolved the issue on some but not all machines. Machines where this is a problem do not map network drives at login after a reboot and have the same inability to read the gpt.ini file from the domain controller for 10-30 seconds and in the group policy log it fails with error code 65. Additionally, after logging in there is sometimes a DNS error in the system log that says the system failed to register host resource records. This issue is only effecting our Windows 10 machines. Any assistance with resolving/troubleshooting this issue would be greatly appreciated.

    Thanks,

    Chris

    Wednesday, January 13, 2016 12:17 AM
  • I am also experiencing this only on Windows 10.  I have found that updating the Network Drivers sometimes helps and sometimes doesn't.    My most frustrating box will run the startup script the first time after joining the domain, and all future startup it fails.  I have had the Wait for Network GPO set for ages so I know that it helps, but for some Windows 10 boxes, its like it completely ignores the wait setting.  Any one else experiencing this problem please post, or if you have any suggestions I'm all ears.
    Tuesday, January 26, 2016 12:04 AM
  • I am experiencing the exact same problem. I've managed to resolve it by setting the registry settings above on a test client, works fine after that. Lets hope MS Patch it soon!

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
    "\\*\SYSVOL"
    "RequireMutualAuthentication=0"

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths "\\*\NETLOGON"
    "RequireMutualAuthentication=0"

    Tuesday, January 26, 2016 7:49 AM
  • Any update on a proper MS fix??
    Thursday, February 11, 2016 12:32 PM
  • MS support told me it was fixed in Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB3140768).  I tried that CU, but no luck.  My wired clients are better, but wireless are still experiencing the same issue, so I am back to disabling UNC hardened paths.
    Thursday, March 17, 2016 4:55 PM
  • Rubbish.... Anyone had success with this update?
    Monday, March 28, 2016 3:22 PM
  • Hello,

    I have exact the same issue.

    My Windows 10 Pro machine is generation event 1058 at boot, so no computer gpo's are set.

    The fix with the un-hardening for sysvol and netlogon, didn't work.

    I spent 2 days  to assing some gpo to use the laptops in the HQ with roaming profile and folder redirection and without when they are outside on a branch office.

    I first thought that my policy's where wrong, so I recreated them.

    I assinged the different sites with WMI-filters and with gpo linked to the sites.

    I saw that the policy's where not applied.

    When  we where logged in, we can do a gpupdate /force and then they are changed.

    So when I look harder in the logs, I saw the event 1058.

    So the computer tries to read the first polocy, ,got an error and stops with the other policy's.

    I already changed which gpo was the first are nog, only the error is the same.

    I called MS Belgium today, but because I don't have SA or a cotnract, I must pay for resolving this bug.?!?  The first technician said that for sure my network was wrong configured.  When I enforced that I was not the only one having this problem and that the W7 machines where working like expected, the argument was that only the few bad things of W10 can be found, but not the good things.

    I need working gpo's at boot...  Someone another solution yet?

    Because I lost a lot of time, I considering to isntall W7 on that machine as a temmp solution.

    Friday, April 01, 2016 3:02 PM
  • MANY THANKS!

    this has been pissing me off for months now!!! I re-ran in wall network cabling to try and solve this issue. I tried many different network driver versions. I reconfigured the switches, i investigated registry keys, i blamed UEFI, i was about to rebuild the domain controllers....

    Network access is denied YET i can see the god damn gpt.ini file on the domain controller fine!!!... All because of this poorly documented "feature". my god...

    Half my GPOs would apply, and the other half would not. Or sometimes, all would apply! and everything would be perfect. Sometimes nothing would apply. I could image two machines at the same time, same model and one would work and the other would not. I could then re image the one that didnt work and sometimes it would start getting policy and work fine!!! The other thing was it was never just one policy that failed, it would be a random GUID every time.

    This was a horrible issue. Only affected windows 10. Intermittent, sporadic, basically the worst issue to narrow down.

    If I hadn't hit on the right search terms and found this thread I would have never solved it. The key was "network access is denied" and gpt.ini , that finally got me results. I really thought it was my environment causing this, but of course, its gimpy, broken out of the box win10.

     This fixed worked fine and i am now putting these registry keys into my image. Just another windows 10 workaround to document, remember and maintain. and i can confirm its not fixed in 1511. I am at latest build. Sigh...

    win10, oh how i hate thee...

    Oh i also added the following to maybe fix the WDS "network issues" problem i have also been having with only win10 clients...

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\wds" /d "RequireMutualAuthentication=0" /t REG_SZ 

    Wednesday, April 20, 2016 9:16 PM
  • Our build contains KB3140768 and we're still seeing the issue on some machines (looks like it might just be on newer hardware with SSDs) - the reg workaround does seem to help though.
    Tuesday, May 03, 2016 1:31 PM
  • So.. windows 10 is more secure than previous versions, and all you can do is complain because you actually had to do your job and administer it?

    You are not someone I want working for me.

    Thursday, May 05, 2016 4:19 PM
  • This is true. I have the same problem.

    Carlos Jefferson Administrador de Infraestrutura e Segurança

    Thursday, June 16, 2016 6:53 PM
  • So.. windows 10 is more secure than previous versions, and all you can do is complain because you actually had to do your job and administer it?

    You are not someone I want working for me.

    ??? really dude? sounds more like microsoft didn't think about current environments and lacks a proper test cycle or QC team at times.  pretty major thing to eff up.   and why the heck did you even leave a post on this if you can't contribute.  the fact that they offer a hotfix means it was an eff up on their side so yea.

    to those who actually offered solutions/fixes; thank you.  so far the registry fix didn't help in our environment but i will be doing more testing.

    Thursday, June 23, 2016 3:55 PM
  • https://support.microsoft.com/en-us/kb/3000483

    Minimum recommended configuration for domain-joined computers

    We recommend that all NETLOGON and SYSVOL shares be configured to require both mutual authentication and integrity in order to help secure Group Policy against spoofing and tampering attacks that can be leveraged to achieve remote code execution. 

    Hardened UNC paths
    Value name Value
    \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
    \\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1
    Friday, July 08, 2016 5:42 PM
  • We are running Windows 10 Enterprise and I implemented the UNC hardening as MS recommended. I too had issues with Group Policies not applying but it was not impactful as I only tested it against a single machine. It took me awhile to realize the version of Windows 10 I was on is prior, I believe, to the fix that was included in a cumulative update. As soon as I applied https://support.microsoft.com/en-us/kb/3163018 GP started processing at login.
    Tuesday, July 12, 2016 3:40 PM
  • We faced issue GPO policies not apply to Windows 10 due tWindows 10 GPO Templates are not there on Domain Controllers

    http://www.windowstricks.in/2016/07/group-policy-setting-not-applying-windows-10-computers.html

    Also check Microsoft security patch MS16-072, after patch GPO stop worked due to security setting 

    http://www.windowstricks.in/2016/06/group-policy-not-applyingworking-patching-gpo-permission-issues.html


    Regards www.windowstricks.in

    Monday, July 18, 2016 4:46 AM
  • I went ahead and completely removed the Technical Preview July 12/2016 (breaks a multitude of paths for updates, GPO’s, SAP connections, shares, etc)

    KB3172985

    https://support.microsoft.com/en-us/kb/3172985

    ended up with version 10.0.10586 Enterprise

    Monday, July 25, 2016 7:13 PM
  • I went ahead and completely removed the Technical Preview July 12/2016 (breaks a multitude of paths for updates, GPO’s, SAP connections, shares, etc)

    KB3172985

    https://support.microsoft.com/en-us/kb/3172985

    ended up with version 10.0.10586 Enterprise

    Please read this.

    It will also solve issues to others who got broken gpo after this update.

    https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/


    • Edited by iosysss Tuesday, July 26, 2016 8:55 AM
    Tuesday, July 26, 2016 8:54 AM
  • In windows 10 Enterprise ver 10.0.10586 (1511), removing kb3172985 allowed local admins to pass all policies without issues (authenticated users, and domain computers are READ allow in delegation), but fails to apply policies for standard users. I also try the command lines for sysvol and netlogon, and did not improve. Adding the usernames into groups either. 

    Is definitely a change with 10.0.10586 and group policy.  The %username% variable can not longer be passed into the standard user environment, while still works for a user with local administrators membership.

    Tuesday, July 26, 2016 12:45 PM
  • Ive searched and scowered the internet for 6  hours now about this issue.  Ive tried the registry edit, ive tried recreating the GPOs, ive tried removing 'authenticated users' out of the GPOs security filtering and have tried every combination of either 'authenticated users' or 'domain computers' listed under the Delegation tab as 'Read', ive made the registry edit before joining the laptop to the domain and it still doesnt work, on and on and on and on. 

    Where I am at right now is that I have the following GPOs: Default Domain Policy, SCCMFirewall, Student Logon GPO and "vDesktop and Office 2010 Settings".   A Windows 10 machine will see the Student Logon and the vDesktop policies (they are denied cause their not applicable to logins im trying out, but it sees them), but they will not see or apply the "Default Domain Policy" or the "SCCMFirewall" policy. The Windows 7 machine right next to me that im using to check and make sure I dont break anything sees everything and accepts or denies them every time.

    "Student Logon" applies to a specific user group, and "vDesktop" appiles to a few specific users.   I had Default Domain Policy and SCCMFirewall applied to 'Authenticated Users' but I had read somewhere about this whole issue that you cant have that so I changed them both to Domain Users.    From what all I can tell I have the same Delegations listed under the two working ones as I do the two that arent being read. 

    Havent started using Windows 10 yet where I work, but this cart of 30 laptops I need to reimage was going to be the test run of an image I built over the summer. Image isnt the issue because im experiencing all the same issues on a laptop I have here that Im doing the testing on that wasnt cloned with that image. Have all my Windows Updates.    Ive already wasted a day researching this. These laptops are getting Win7 and so is everything else going forward as long as I work in this county if I cant figure this out in a days time. 

    THANKS!!!!

    Friday, September 02, 2016 6:46 PM
  • I'm not sure if others are still having this problem, but something I discovered was that access via netbios (not fqdn) name to \\domain\netlogon and \\domain\sysvol are not available for about 50 seconds after login.  I put a login script for a user that just loops over a test for "if not exist \\domain\netlogon\. " and echoing the date/time to a log.  It takes about 50 seconds for SOME of my machines to pass this test.  During the time, the desktop appears, and the login script keeps churning.  Opening a command prompt, I find I can access \\domain.loc\netlogon just fine, so there is something in probably netbios name resolution.  It MIGHT be the lmhosts service - still trying to track it down.  If I disable that service entirely, I never run the login script.  If I query it while the failure is happening, it's running apparently though who knows if there is a negative cache or initialization occurring.  Stopping the service after it's functioning does not produce the failure.
    Thursday, February 16, 2017 12:48 AM