This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 31%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Per this guide, we are attempting to enable hardening on our file shares and are having some issues. For background:
We are using the group policy Computer Configuration > Administrative Templates > Network > Network Provider > Hardened UNC Paths.
The policy is applying to the client computers and, when navigating to the file share directly in File Explorer (\\FS-VM\FileShare) and opening a file, I can see (in Wireshark) that all SMB traffic is encrypted, exactly like we expect.
However, if I navigate to the same share through its DFS link (\\domain.local\Files\FileShare), I can see in Wireshark that none of the traffic is encrypted as if the UNC Hardening policy is not applying at all. This is the case whether I navigate through the mapped drive or directly using the network path above. You'll notice for the sake of testing we also tried adding the DFS path to the group policy to no avail.
I tried changing the DFS path of the file server from FS-VM to FS-VM.domain.local, just to see if this would make a difference and it did not.
I tried various other entries for the policy as well:
I can't find any documentation anywhere that indicates that the UNC Hardening group policy doesn't work DFS shared folder paths, so I don't understand what the problem is here.
Does anyone know what I'm doing wrong? Why doesn't UNC hardening work with DFS shared folders? Is this by design?
PS: All of the paths above had two backslashes at the beginning. They were removed when I posted the question.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 36%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENE%3C/text%3E%3C/svg%3E)
Hello, we've observed a similar behavior. While we can safeguard various UNC paths from other servers, hardened UNC paths don't seem to function correctly with DFS shares.
We tried several varieties like:
\\ domain.local \*
\\ dfs \
\\ domain.local\ dfs \*
\\ domain.local\ dfs \share
Is there some information about UNC hardened paths with DFS?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hi,
Thank you for posting your query.
Kindly follow the steps provided below to resolve your issue.
We have a topic with a problem similar to yours, I recommend you see the article below:
Go to this link for your reference and other troubleshooting procedures https://learn.microsoft.com/en-us/answers/questions/569202/gpo-unc-hardening-with-privacy-not-working-when-ho
Do not hesitate to message us if you need further assistance.
If the answer is helpful kindly click "Accept as Answer" and up vote it.
@Limitless Technology Neither of the provided links are relevant to this issue. The first linked issue references someone not being able to find the group policy setting - this is not the problem I'm having. The second linked article refers to the policy not working when the server has a hyphen in the name. Again, this is not related to my issue. Before posting here, I searched extensively and found both of these articles. I'm asking this question here because nothing I've found is at all related to the issue i'm having. Please re-read my original question.