A long standing issue (it goes back as far as Windows 10 1511) exists where GPOs are not (or not always) applied on Windows 10 machines, even though the entire setup checks out (correct GPO links, network in working order, domain controllers functional). Back in Windows 10 1511, there was a certain update introducing something called UNC hardening which caused this behaviour. Although it was expected that this has since been resolved in another Cumulative update, there are still numerous reports of users encountering this issue all the way up to Windows 10 2004.
Should you be affected by this issue, the symptoms are as follows:
If you can verify the list above, you may have the same encounter with UNC hardening that numerous users (including myself) have encountered. This setting was introduced since Windows 10 and is enabled by default. UNC hardening adds extra security when accessing shares, but in certain cases, this seems to break the loading of group policies.
To workaround the issue, UNC hardening can be disabled on a per server and per share basis, by adding exceptions to the local computer registry. A somewhat foolproof method is by importing these registry settings:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths] "\\*\SYSVOL"="RequireMutualAuthentication=0" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths] "\\*\NETLOGON"="RequireMutualAuthentication=0"
The two registry keys above will disable UNC hardening for any SYSVOL and NETLOGON shares it encounters. You could further "harden" the keys by explicitly specifying the AD name (in our test domain: test.local).
If you're doing automated installs (e.g. for VDI or other deployment methods), you can also script this. See the attached scripts for examples.
« ‹ | December 2024 | › » | ||||
Sun | Mon | Tue | Wed | Thu | Fri | Sat |
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |