Hey guys,
We are currently rolling out Windows 10 Enterprise 1511 on a new Customer and we encountered a problem with Policies not being applied on Wifi Connection even though Wait for Network Connection Policies etc is applied. After login in to the system you can either do a GPUPDATE /Force or just wait and policies are applied after random intervalls of 15-45min. Same System on a wired connection works.
After troubleshooting DNS, NAP, 802.1x Policies and logging network activity i found this post on https://social.technet.microsoft.com/Forums/en-US/6a20e3f6-728a-4aa9-831a-6133f446ea08/gpos-do-not-apply-on-windows-10-enterprise-x64?forum=winserverGP, It turns out that UNC Hardening is by default turned on in W10. After a little investigation there are alot of information regarding that this should have been changed in W10 Ent 1511 release but it clearly is not. After getting home from the office i did some more testing and Inplace Upgrades from W8, W8.1 is not affected by this since they were solved with a Patch from Microsoft disabling the UNC hardening feature by default..
MS15-011 covers more deept in the case of UNC hardening:
https://support.microsoft.com/en-us/kb/3000483
https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/
Adding These regkeys Solved my issues completly and gives me time to test UNC Hardening fully in Lab environment before adding feature in production:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ
Note:By adding these registry keys you completly turn of the UNC Hardening on the Windows 10 client.
I strongly recommend looking into the MS15-011and MS15-014 and implementing it to secure your Environment against possible Remote code Execution
Br /Peter