Jump to content


petsva

New Members
  • Content Count

    1
  • Joined

  • Last visited

Community Reputation

1 Neutral

About petsva

  • Rank
    Newbie
  1. Hey guys, We are currently rolling out Windows 10 Enterprise 1511 on a new Customer and we encountered a problem with Policies not being applied on Wifi Connection even though Wait for Network Connection Policies etc is applied. After login in to the system you can either do a GPUPDATE /Force or just wait and policies are applied after random intervalls of 15-45min. Same System on a wired connection works. After troubleshooting DNS, NAP, 802.1x Policies and logging network activity i found this post on https://social.technet.microsoft.com/Forums/en-US/6a20e3f6-728a-4aa9-831a-6133f446ea08/gpos-do-not-apply-on-windows-10-enterprise-x64?forum=winserverGP, It turns out that UNC Hardening is by default turned on in W10. After a little investigation there are alot of information regarding that this should have been changed in W10 Ent 1511 release but it clearly is not. After getting home from the office i did some more testing and Inplace Upgrades from W8, W8.1 is not affected by this since they were solved with a Patch from Microsoft disabling the UNC hardening feature by default.. MS15-011 covers more deept in the case of UNC hardening: https://support.microsoft.com/en-us/kb/3000483 https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/ Adding These regkeys Solved my issues completly and gives me time to test UNC Hardening fully in Lab environment before adding feature in production: reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\NETLOGON" /d "RequireMutualAuthentication=0" /t REG_SZ Note:By adding these registry keys you completly turn of the UNC Hardening on the Windows 10 client. I strongly recommend looking into the MS15-011and MS15-014 and implementing it to secure your Environment against possible Remote code Execution Br /Peter
×
×
  • Create New...