Windows 10 and GPO only applies when "Authenticated Users" is added to Security filtering

Crossroads305
Crossroads305 used Ask the Experts™
on
So I don't know if I should chalk this up to a "Feature" in windows 10 but I've been having problems with GPO only applying randomly or not at all to users since we started rolling out windows 10. This does not happen with windows 7 or below or 2008.  Has anyone else had this problem? Did Microsoft change the way filters are applied through GPO with windows 10? I updated to the latest windows 10 GPOs thinking mine were outdated and it didn't help til I added that. is this a new "Best Practices" that Microsoft recently put in place and want you to do WMI filtering instead, which I have no clue how to do, or is this just flat out a bug? All my AD replications and every test I ran have come back as good. Is there any other underlying cause that could cause this kind of issue?

Backstory:
The one policy we had was filtered to specific users. After hours of troubleshooting, because it was only happening on 1 of several machines that the user logged into it seemed all to point to a user issue. I was able to replicated the issue with another user I created but not with any other active user including mine. I ran gpupdate several times it always came back with successful, but when I ran gpresult the offending policy wasn't there. like it was ignored completely and not in the folder. I thought some how it got unlinked, checked that. Everything seemed fine, the users who it was filtered to had rights to it. it worked on other computers on the network. So on a hunch I saw all policies that worked had one thing in common, they were only applied to Authenticated users. So while not removing the old settings, I added that in and gpupdate /force. Right away the GPO applied and everything was well, multiple log outs and log in on the computer I tested worked.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Microsoft change the way filters are applied through GPO with windows 10?

Microsoft has fundamentally changed the way GPO's applied since MS16-072 (or KB3163622) to prevent a MiTM vulnerability. See the MS PFE blog post here. Since this patch, the computer requires permission to all GPO's whether they contain user or computer settings. Microsoft recommend adding Authenticated Users to the ACL with read access.

The good news is the fix is straight forward. There is a script in the article which you can run to quickly add Authenticated Users to any GPO missing this ACL.

Otherwise check out the TechNet Wiki on top GPO issues here. Assuming you don't have some sort of infrastructure issue most cases can be resolved by one of these common issues.
Distinguished Expert 2018
Commented:
It is worth noting that this is not unique to Windows 10. Microsoft changed this in June for all OSes. Don't blame win10.

Author

Commented:
Intresting, do you know of the KB article that states that?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018
Commented:
Learnctx posted those already in his response.

Author

Commented:
Thanks Guys, this it's really helpful.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial