Windows 2008 R2

GPO windows 10 – unc hardening

https://blogs.technet.microsoft.com/leesteve/2017/08/09/demystifying-the-unc-hardening-dilemma/

The processing of Group Policy failed. Windows attempted to read the file \\yourdomain.fqdn\sysvol\yourdomain.fqdn\Policies\{GPO GUID}\gpt.ini from a domain controller and was not successful.

Running a dir \\yourdomain.fqdn\sysvol will also result in the error: The network path was not found. You may also see an « access denied ».

If the above applies to you, you will need to fix this via registry. First, there are 3 settings for hardening, allow me to briefly explain.

RequireMutualAuthentication (this can be set to 0 or 1): By default, SMB doesn’t actually perform mutual authentication, but delegates this to the security provider of the remote system. If the remote security provider negotiates an authentication, then the connection is allowed. Of course, enforced by setting RequireMutualAuthentication to 1. This can be bypassed with 0 of course.

RequireIntegrity (this can be set to 0 or 1): This is where SMB signing comes into play – if you are still using SMBv1 (please don’t), setting this to 1, for example, will disallow access to the path by requiring something the client cannot support.

RequirePrivacy (this also can be set to 0 or 1): This is where SMB encryption is set. SMB Encryption is only supported on Windows 8/Server 2012 and later, meaning setting this will break connections to Windows 7 systems. I found this to be a troublemaker when testing.

So, back to fixing the problem: If you had the above error trying to apply Group Policy, you can navigate to this registry path in win10 clients:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths

You will need to set 2 entries (both REG_SZ)
1. \\*\sysvol
2. \\*\netlogon
with this value: RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0

Of course, replace yourdomain.fqdn with your actual domain’s FQDN. In addition, these settings can be tweaked to fit your environment better. Do keep in mind that you will need to reboot after making this change, don’t bother doing anything else. You should then be able to do your gpupdate /force successfully.

You may also set this in Group Policy, but keep in mind that changing this setting won’t do you any good if you are not able to contact the DC and apply policy – so first things first, work the registry. The GPO setting is located at:
Computer Configuration / Administrative Templates / Network / Network Provider and the setting name is Hardened UNC Paths. Enable this, click Show, and add your shares and values here, i.e. \\*\sysvol as value name and RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0 as value.

Hope this helps demystify the reasons why Group Policy wasn’t applying to these Windows 10 devices, but to the Windows 7 ones.