Multiple computers (W10 Pro/Ent, WS2019, WS2012) had issues applying several GPOs that had been working correctly for months. The error was Filtering: Not Applied (Unknown Reason).
The GPOs fixed themselves automatically (reapplied) on subsequent background gpupdates without any changes made to AD or GP.
The only GPOs affected have custom security group added to the Security Filtering section of the GPO (see image below).
Other GPOs with default Authenticated Users OR GPOs with only explicitly defined computers (without Authenticated Users) in Security Filtering were unaffected.
Example of GPO with issue:
What I observed on an affected computer:
Issues occurred on the day where the following two changes occurred:
Both DCs (WS2019, we only have 2) updated with KB4570333 and rebooted. Ample time allowed in between reboots for syncing.
Security groups changed scopes from Domain Local to Universal to Global
Issues appeared on computers within the next several background gpupdates across our domain on multiple devices between 1 to 12 hours later (sometimes with multiple background gpupdates before GPOs were unapplied). Missing GPOs were pulled from both domain controllers.
No replication or obvious errors in DC event logs from that day. GPOs and group membership for security groups wasn't changed. GPOs stopped applying/reapplied automatically on computers without any reboots.
It's almost as if the computers could not see themselves as members of the security groups anymore during a background gpupdate, for some unknown reason. And then they suddenly saw themselves as members again, for some unknown reason, and reapplied the GPOs.
Can anyone provide any insight into this behavior? Can anyone confirm that this should NOT be happening? Would the group scope changes cause this, and if so, is there any documentation to support this?