Backtrack:  
 
by lunarg on November 30th 2020, at 16:45

A long standing issue (it goes back as far as Windows 10 1511) exists where GPOs are not (or not always) applied on Windows 10 machines, even though the entire setup checks out (correct GPO links, network in working order, domain controllers functional). Back in Windows 10 1511, there was a certain update introducing something called UNC hardening which caused this behaviour. Although it was expected that this has since been resolved in another Cumulative update, there are still numerous reports of users encountering this issue all the way up to Windows 10 2004.

Should you be affected by this issue, the symptoms are as follows:

  • You are able to succesfully log on using a domain account you've never used before on the affected machine.
  • SYSVOL and NETLOGON shares are accessible but none of the group policies are applied.
  • One or more events with ID 1058 are logged:
    Event 1058
    The processing of Group Policy failed. Windows attempted to read the file \\test.local\sysvol\test.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.
  • When logged in and attempting to access the path, it works without any problems and the policy files in SYSVOL and NETLOGON are reachable on all domain controllers.
  • No other events (errors from NETLOGON and such, stating that the domain controller isn't reachable) are logged.
  • (Unverified:) The Active Directory domain was migrated from a 2003 domain.

If you can verify the list above, you may have the same encounter with UNC hardening that numerous users (including myself) have encountered. This setting was introduced since Windows 10 and is enabled by default. UNC hardening adds extra security when accessing shares, but in certain cases, this seems to break the loading of group policies.

To workaround the issue, UNC hardening can be disabled on a per server and per share basis, by adding exceptions to the local computer registry. A somewhat foolproof method is by importing these registry settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\*\SYSVOL"="RequireMutualAuthentication=0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths]
"\\*\NETLOGON"="RequireMutualAuthentication=0"

The two registry keys above will disable UNC hardening for any SYSVOL and NETLOGON shares it encounters. You could further "harden" the keys by explicitly specifying the AD name (in our test domain: test.local).

If you're doing automated installs (e.g. for VDI or other deployment methods), you can also script this. See the attached scripts for examples.