Windows 10 – Group Policy Objects (GPO) not applied

I was working with Windows 10 (1511 version), fully patched the client and to my surprise on some Windows 10 machines the Group Policy Objects (GPO) were not applied.

I did a little search and it seems that Microsoft has pushed 2 updates (MS15-011 and MS15-014) that harden the Group Policy process. Well actually they harden the Kerberos authentication to Network Shares. And the NETLOGON and SYSVOL folders are network shares.

The updates are described by the PFE team here.

But why is it working on Windows 7, 8 and 8.1 and NOT on Windows 10?

First of all UNC Hardening is standard disabled in Windows 7, 8 and 8.1 and enabled in Windows 10!

Furthermore Microsoft Support confirmed that there is a bug in Windows 10 and they will provide a hotfix one day they have fixed it.

Until now the only Workaround is to disable the UNC hardening for netlogon and sysvol Shares in the registry.

And it can be done this way:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
“\\*\SYSVOL”
“RequireMutualAuthentication=0”

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths “\\*\NETLOGON”
“RequireMutualAuthentication=0”

And the Windows 10 machines start talking to the logon shares again 😉

Follow the Microsoft thread here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.