windows 10 unable to access sysvol and netlogon
After further research it was determined that this was solvable by hardening UNC paths on clients manually. We used the following script for easier achievement:
%COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ
%COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ
This just applies the hardened UNC paths using command line rather than clicking your way through the local GPO. It's understood that a solution is a work in progress for this matter by Microsoft.
Related videos on Youtube
joebegborg07
Updated on September 18, 2022Comments
-
joebegborg07 over 1 year
A Windows 10 update introduced a security enhancement, where the windows 10 client is unable to browse to syslog and netlogon shares in order to prevent unintended access to these locations.
The symptoms would be that any attempt to access these shares from a windows 10 machine, the user is prompted for login credentials and not even the domain admin account would be granted access.
This can be resolved by adding the DC's UNC path (<\\DC_name>) to the Hardened UNC path within the local GPO editor of every windows 10 client, which can be located under
Computer Configuration > Administrative Templates > Network > Network Provider > Hardened UNC Paths
Now this is a working solution however it's not ideal, as we have 120 + clients (some of them at geographically remote sites), and it's not as convenient to do them manually, let alone the fact that defeats the whole purpose of opting for a domain controller for central client management.
When trying to push such setting from GPO there are 2 issues:
- The same GPO is not available in GP management console on server 2012 (DC).
- Since GPOs are pushed through the sysvol folder, and such folder is inaccessible (unless you do the fix manually), it's a rather impossible to push to client.
The desired outcome is where this issue is solved through the DC rather than from every windows client individually.
I look forward to help.
Thanks,
J
-
pat o. over 8 yearsYou need to provide more information. What errors are you getting? What have you already tried to troubleshoot the issue?
-
Daniel over 8 yearsQuestions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers.
-
joebegborg07 over 8 yearsThanks for your response. I've updated the question with hopefully clearer answers to your questions. I'm not getting any error as the systems are working as they're intended, however the way this is setup it's quite inconvenient as it's preventing me from managing remote computers.
-
jojojoj over 8 yearsIs KB3000483 installed on the 2012 DC? UNCH was a hotfix for 2012 R2, so you won't have it as an option for GPO until that has been installed.
-
joebegborg07 about 8 yearsHi @Craig620 and thanks for your reply. I've installed the hotfix and the GPO was available. I've tried to push it to all users (by including it in the default domain policy), however the GPO still doesn't show up when executing gpreult on clients (following gpupdate /force). Any idea why ?
-
joebegborg07 about 8 yearsFurther findings: since this GPO is imported into a 2012 server through an ADMX, ADML template we're unable to import this gpo into a 2003 server. Is it possible to achieve this? Or is our only option to transfer the PDC FSMO role to the 2012 server (which already has the Hardened UNC paths enabled) ?
-
joebegborg07 about 8 yearsThanks for your feedback Craig. We've made further research and determined that this was a bug residing in windows 10 systems. I posted our workaround above.