windows 10 unable to access sysvol and netlogon

windows windows-server-2012 windows-server-2012-r2 windows-10
21,739

After further research it was determined that this was solvable by hardening UNC paths on clients manually. We used the following script for easier achievement:

%COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ

%COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ

This just applies the hardened UNC paths using command line rather than clicking your way through the local GPO. It's understood that a solution is a work in progress for this matter by Microsoft.

Share:
21,739

Related videos on Youtube

joebegborg07
Author by

joebegborg07

Updated on September 18, 2022

Comments

  • joebegborg07
    joebegborg07 over 1 year

    A Windows 10 update introduced a security enhancement, where the windows 10 client is unable to browse to syslog and netlogon shares in order to prevent unintended access to these locations.

    The symptoms would be that any attempt to access these shares from a windows 10 machine, the user is prompted for login credentials and not even the domain admin account would be granted access.

    This can be resolved by adding the DC's UNC path (<\\DC_name>) to the Hardened UNC path within the local GPO editor of every windows 10 client, which can be located under 

    Computer Configuration > Administrative Templates > Network > Network Provider > Hardened UNC Paths

    Now this is a working solution however it's not ideal, as we have 120 + clients (some of them at geographically remote sites), and it's not as convenient to do them manually, let alone the fact that defeats the whole purpose of opting for a domain controller for central client management.

    When trying to push such setting from GPO there are 2 issues:

    1. The same GPO is not available in GP management console on server 2012 (DC).
    2. Since GPOs are pushed through the sysvol folder, and such folder is inaccessible (unless you do the fix manually), it's a rather impossible to push to client.

    The desired outcome is where this issue is solved through the DC rather than from every windows client individually.

    I look forward to help.

    Thanks,

    J

    • pat o.
      pat o. over 8 years
      You need to provide more information. What errors are you getting? What have you already tried to troubleshoot the issue?
    • Daniel
      Daniel over 8 years
      Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers.
    • joebegborg07
      joebegborg07 over 8 years
      Thanks for your response. I've updated the question with hopefully clearer answers to your questions. I'm not getting any error as the systems are working as they're intended, however the way this is setup it's quite inconvenient as it's preventing me from managing remote computers.
    • jojojoj
      jojojoj over 8 years
      Is KB3000483 installed on the 2012 DC? UNCH was a hotfix for 2012 R2, so you won't have it as an option for GPO until that has been installed.
    • joebegborg07
      joebegborg07 about 8 years
      Hi @Craig620 and thanks for your reply. I've installed the hotfix and the GPO was available. I've tried to push it to all users (by including it in the default domain policy), however the GPO still doesn't show up when executing gpreult on clients (following gpupdate /force). Any idea why ?
    • joebegborg07
      joebegborg07 about 8 years
      Further findings: since this GPO is imported into a 2012 server through an ADMX, ADML template we're unable to import this gpo into a 2003 server. Is it possible to achieve this? Or is our only option to transfer the PDC FSMO role to the 2012 server (which already has the Hardened UNC paths enabled) ?
  • joebegborg07
    joebegborg07 about 8 years
    Thanks for your feedback Craig. We've made further research and determined that this was a bug residing in windows 10 systems. I posted our workaround above.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Failed Authentication Against Windows Server 2012 R2 RADIUS Using PAP
SCCM Client Unable to Download from Software Centre
The 'System' process is listening on port 443, and I can't find what service is causing this
Windows 2012 Server: Enable .NET 3.5
Work folders not working
Windows Security Options over RDP in Server 2012+
Windows Server: what is the difference between Security Filtering (under the Scope tab) and the Delegation tab in Group Policy Management?
How to have your DNS servers forward queries for internet names
How do you manually trigger the first sync for 'Internet Time' in Windows?
Windows server 2012 R2 SAN storage connection