Advertisement
Having a frustrating issue with domain windows devices on wifi (tried psk and eap-tls) not loading group policies when a device starts up. However it’s inconsistent…<\/p>\n
With a cable connected gpos load cleanly and without issue.<\/p>\n
The issue is easiest to test straight after imaging a device (MECM task sequence) soon as it’s on the login screen, i can disconnect the cable, restart, GPOs wont be picked up on startup or on logon. I can repeat that process over and over.<\/p>\n
If i login and try to access \\domain.local\\sysvol it’ll prompt for a username and password. Entering one says access denied.<\/p>\n
I can leave the device logged in for 30-60 minutes and eventually it will start working, sysvol will be accessible and i can then do gpupdate /force for it to pull down the policies. Restart though and it’ll fail again…albeit with the policies partially loaded.<\/p>\n
Plugin a network cable, and the device works perfectly again. In fact once it’s pulled down the policies from a restart with the network cable plugged in and the user logged in, i can then unplug the network lead and it’ll carry on working on subsequent restarts… yet to determine if that stops working after a period of time has passed though.<\/p>\n
I’ve explored all sorts of avenues in attempting to resolve this. First i thought it was credential guard, then i thought it was the 802.1x profile Then i thought maybe it’s certificate problems.<\/p>\n
If i disable UNC path hardening on sysvol, it works. That’s the temporary workaround i’ve put in place for users. To me this suggests a kerberos issue with the machine account, but why would that be wifi specific? I’m at a complete loss and desperate for help!<\/p>","upvoteCount":6,"answerCount":2,"datePublished":"2025-07-08T11:51:04.765Z","author":{"@type":"Person","name":"James2995","url":"https://community.spiceworks.com/u/James2995"},"suggestedAnswer":[{"@type":"Answer","text":"
Having a frustrating issue with domain windows devices on wifi (tried psk and eap-tls) not loading group policies when a device starts up. However it’s inconsistent…<\/p>\n
With a cable connected gpos load cleanly and without issue.<\/p>\n
The issue is easiest to test straight after imaging a device (MECM task sequence) soon as it’s on the login screen, i can disconnect the cable, restart, GPOs wont be picked up on startup or on logon. I can repeat that process over and over.<\/p>\n
If i login and try to access \\domain.local\\sysvol it’ll prompt for a username and password. Entering one says access denied.<\/p>\n
I can leave the device logged in for 30-60 minutes and eventually it will start working, sysvol will be accessible and i can then do gpupdate /force for it to pull down the policies. Restart though and it’ll fail again…albeit with the policies partially loaded.<\/p>\n
Plugin a network cable, and the device works perfectly again. In fact once it’s pulled down the policies from a restart with the network cable plugged in and the user logged in, i can then unplug the network lead and it’ll carry on working on subsequent restarts… yet to determine if that stops working after a period of time has passed though.<\/p>\n
I’ve explored all sorts of avenues in attempting to resolve this. First i thought it was credential guard, then i thought it was the 802.1x profile Then i thought maybe it’s certificate problems.<\/p>\n
If i disable UNC path hardening on sysvol, it works. That’s the temporary workaround i’ve put in place for users. To me this suggests a kerberos issue with the machine account, but why would that be wifi specific? I’m at a complete loss and desperate for help!<\/p>","upvoteCount":6,"datePublished":"2025-07-08T11:51:04.822Z","url":"https://community.spiceworks.com/t/unc-path-hardening-and-wifi-group-policies-dont-load/1221969/1","author":{"@type":"Person","name":"James2995","url":"https://community.spiceworks.com/u/James2995"}},{"@type":"Answer","text":"
I think after days of tearing my hair out, i might have finally solved this one.<\/p>\n
It was all down to overly restrictive settings in Windows Defender Exploit Guard settings deployed via GPO in an xml file.<\/p>\n
I don’t know which of the 5 expoint guard settings was causing it, for now i’ve disabled exploit guard entirely but this was the xml file in question:<\/p>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<MitigationPolicy>\n <SystemConfig>\n <DEP Enable=\"true\" EmulateAtlThunks=\"false\" />\n <ASLR ForceRelocateImages=\"true\" RequireInfo=\"false\" BottomUp=\"true\" HighEntropy=\"true\" />\n <ControlFlowGuard Enable=\"true\" SuppressExports=\"false\" />\n <SEHOP Enable=\"true\" TelemetryOnly=\"false\" />\n <Heap TerminateOnError=\"true\" />\n </SystemConfig>\n</MitigationPolicy>\n<\/code><\/pre>","upvoteCount":3,"datePublished":"2025-07-08T14:52:09.511Z","url":"https://community.spiceworks.com/t/unc-path-hardening-and-wifi-group-policies-dont-load/1221969/2","author":{"@type":"Person","name":"James2995","url":"https://community.spiceworks.com/u/James2995"}}]}}
