question

JoshuaThompson-0351 avatar image
0 Votes"
JoshuaThompson-0351 asked DaisyZhou-MSFT commented

Group Policy intermittently not applying

We have Win10 workstations (v1909) that are intermittently not applying their group policies properly after a nightly restart. It seems to be centered only around the firewall policy.

After the restart we are noticing that the DOMAIN firewall profile is ON when we have specific group policies that turn that off.

When we see a workstation in this condition we run a "gpupdate /force" and the domain firewall profile gets disabled (per the policy).

Nothing stands out in the Event viewer of the workstations that show why the firewall policy is not being applied properly.

The workstations restart at midnight and we are still seeing the issue at 0530 in the AM so there has been plenty of time for the group policy to refresh.

I am not sure if this is a coincidence or not but we are not seeing this happen on workstations that have Win10 20H2 installed.

Any suggestions?

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered JoshuaThompson-0351 commented

Hello @JoshuaThompson-0351,

Thank you for posting here.

1.How many Win10 workstations (v1909) are there have such issue?
2.Do you mean the issue reoccurs after restarting the machine? If you do not restart the machine, there is no such issue, right?
3.Are all the Win10 workstations v1909 in the same OU have such issue?
4.How many DCs do you have in your AD environment?

You can try to check if AD replication is working fine by running the commands on PDC server.

repadmin /showrepl >c:\repsum1.txt

repadmin /replsum >c:\repsum2.txt

repadmin /showrepl * /csv >c:\repsum.csv

And you can try to check if SYSVOL replication is working fine by creating one file/folder under C:\Windows\SYSVOL\domain\Policies on any one DC, then check if the new file/folder can be replicated to each other after ten minutes later automatically.

For example:
If you have 2 DCs (DC1 and DC1), create file1 under C:\Windows\SYSVOL\domain\Policies on DC1, check if file1 can be replicated to C:\Windows\SYSVOL\domain\Policies on DC2 after ten minutes later automatically.
And you can create file2 under C:\Windows\SYSVOL\domain\Policies on DC2, check if file2 can be replicated to C:\Windows\SYSVOL\domain\Policies on DC1 after ten minutes later automatically.

78060-sy1.png


If AD replication and SYSVOL replication between all DCs works fine.

Maybe the issue is related to network, after the machine restart, does the machine connected to domain network immediately?
Or if you do not run gpupdate /force, does the domain firewall profile gets disabled (per the policy) after 90-120 minutes later automatically?


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou



sy1.png (38.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the reply.

There is small group of about 5-10 workstations that have this issue. Some are more frequent than others.
The workstations are restarted nightly and we see the problem when I get in the next morning. Again, intermittently.

Sometimes the Domain firewall is off, like its supposed to be, and sometimes its on.
All workstations are in the same OU.
2 DC's in the environment.

repsum1.txt all shows successful
repsum2.txt shows 0 fails
repsum.csv shows no failures

I created the two test files (a different one on each DC in that location) and both replicated IMMEDIATELY to the other DC.

The machine 'should' connect to the network right away after a restart. I am reviewing event logs and not noticing anything that stands out. However the restarts are around midnight and the problem is still occurring almost 5 hours later. When I run a gpupdate /force the domain profile is disabled immediately.

Anything else to look at?

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT commented

Hello @JoshuaThompson-0351,

Thank you for your update.

Would you please check if you restart one machine manually to see if the same issue reoccurs(DOMAIN firewall profile is ON)?

If so, we can try to capture the Process Monitor during you reproduce the issue. Then you can try to analyze the Process Monitor log and find any process or app change the DOMAIN firewall profile.

Or you can check if there is any audit policy to audit DOMAIN firewall profile changes. If so, try to configure the audit policy, then if the issue reoccurs, check the corresponding log.


Hope the information above is helpful.

Thank you for your understanding and support.


Tip: Please kindly remind that since private information and security information may be involved, the forum does not analyze any logs.



Best Regards,
Daisy Zhou

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Of course since I have posted this information we have had zero issues with the group policies not applying. It was pretty frequent prior.

The next time it happens I will report back.

Thinking about this more yesterday and I think what I should be trying to trace down is what is actually turning the domain profile firewall back on. I found any changes to the firewall settings are logged in the Event viewer > Application and Service logs > Microsoft > Windows > Windows Firewall with Advanced Security > Firewall.
Supposedly I can look for event ID 2003. This logs firewall profile changes and indicates what the modifying application is.

This could just be not so much that my group policy ISNT applying but rather some other process is manually turning the domain profile back on.

Are you aware of any instances where Microsoft (or another product) will automatically enable the built in firewall?





0 Votes 0 ·
DaisyZhou-MSFT avatar image DaisyZhou-MSFT JoshuaThompson-0351 ·

Hello @JoshuaThompson-0351,

Thank you for your update.

Are you aware of any instances where Microsoft (or another product) will automatically enable the built in firewall?
It is hard to answer it. I think you may need to monitor via the two methonds I mentioned above.


Best Regards,
Daisy Zhou

0 Votes 0 ·

Thank you for your assistance.


0 Votes 0 ·
Show more comments