This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 38%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
We have Win10 workstations (v1909) that are intermittently not applying their group policies properly after a nightly restart. It seems to be centered only around the firewall policy.
After the restart we are noticing that the DOMAIN firewall profile is ON when we have specific group policies that turn that off.
When we see a workstation in this condition we run a "gpupdate /force" and the domain firewall profile gets disabled (per the policy).
Nothing stands out in the Event viewer of the workstations that show why the firewall policy is not being applied properly.
The workstations restart at midnight and we are still seeing the issue at 0530 in the AM so there has been plenty of time for the group policy to refresh.
I am not sure if this is a coincidence or not but we are not seeing this happen on workstations that have Win10 20H2 installed.
Any suggestions?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Joshua Thompson ,
Thank you for posting here.
1.How many Win10 workstations (v1909) are there have such issue?
2.Do you mean the issue reoccurs after restarting the machine? If you do not restart the machine, there is no such issue, right?
3.Are all the Win10 workstations v1909 in the same OU have such issue?
4.How many DCs do you have in your AD environment?
You can try to check if AD replication is working fine by running the commands on PDC server.
repadmin /showrepl >c:\repsum1.txt
repadmin /replsum >c:\repsum2.txt
repadmin /showrepl * /csv >c:\repsum.csv
And you can try to check if SYSVOL replication is working fine by creating one file/folder under C:\Windows\SYSVOL\domain\Policies on any one DC, then check if the new file/folder can be replicated to each other after ten minutes later automatically.
For example:
If you have 2 DCs (DC1 and DC1), create file1 under C:\Windows\SYSVOL\domain\Policies on DC1, check if file1 can be replicated to C:\Windows\SYSVOL\domain\Policies on DC2 after ten minutes later automatically.
And you can create file2 under C:\Windows\SYSVOL\domain\Policies on DC2, check if file2 can be replicated to C:\Windows\SYSVOL\domain\Policies on DC1 after ten minutes later automatically.
If AD replication and SYSVOL replication between all DCs works fine.
Maybe the issue is related to network, after the machine restart, does the machine connected to domain network immediately?
Or if you do not run gpupdate /force, does the domain firewall profile gets disabled (per the policy) after 90-120 minutes later automatically?
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Thank you for the reply.
There is small group of about 5-10 workstations that have this issue. Some are more frequent than others.
The workstations are restarted nightly and we see the problem when I get in the next morning. Again, intermittently.
Sometimes the Domain firewall is off, like its supposed to be, and sometimes its on.
All workstations are in the same OU.
2 DC's in the environment.
repsum1.txt all shows successful
repsum2.txt shows 0 fails
repsum.csv shows no failures
I created the two test files (a different one on each DC in that location) and both replicated IMMEDIATELY to the other DC.
The machine 'should' connect to the network right away after a restart. I am reviewing event logs and not noticing anything that stands out. However the restarts are around midnight and the problem is still occurring almost 5 hours later. When I run a gpupdate /force the domain profile is disabled immediately.
Anything else to look at?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 10%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hi Daisy,
We're having this same issue on select Windows Servers. It turns out it's this same issue regarding group policy taking too long and Windows defaulting to the persistent store.
The question is, why isn't the server (or host) applying the 90 minute to 120 minute group policy refresh like it's supposed to automatically?
EDIT: Matthias answered my question below.
"A normal group policy update actually does update the setting correctly, but only to the RSOP store of the Windows Firewall - it doesn't merge it with the ActiveStore.
Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP
Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore
Forcing an update (gpupdate /force) or restarting the MpsSvc will successfully apply it though."
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 63%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMF%3C/text%3E%3C/svg%3E)
FYI I found the issue.
The problem is the following setting which is part of the recommended configurations in the CIS benchmark for Windows Server.
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' (Automated)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
Registry processing takes too long and the MpsSvc starts with the settings in the PersistentStore.
You can deploy the PeristentStore settings via the following registry key:
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile EnableFirewall REG_DWORD: 0x0 (0)
17:41:36.9470338 svchost.exe 2000 2596 RegDeleteValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS
17:41:44.6079838 svchost.exe 2100 3508 RegQueryValue HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
38724 [3] 0834.0DB4::10/18/22-17:41:44.6986418 [windows] dllmain_cpp1227 FwGPLockInternal() - FwGPLockInternal: EnterCriticalPolicySectionExStub returned 0000000000000000
38725 [3] 0834.0DB4::10/18/22-17:41:44.6986465 [lh] fw_prof_mgr_c2023 FwProfileMgrUpdateCachedPolicy() - Acquiring the GP Lock Failed... GP will not be pushed, until next GP notification (soon to come)
38726 [3] 0834.0DB4::10/18/22-17:41:44.6986473 [lh] fw_prof_mgr_c2027 FwProfileMgrUpdateCachedPolicy() - updateGroupStore=0
This is exactly what's happening to us. I've been researching this for months, and after reading this post, realized that the PersistenStore is also set to "True" for the Windows Servers we're having this issue on. Thank you!
I guess my next question is, why isn't the domain Group Policy Interval updating it on the host? (Workstation and/or Servers). You'd think within the 90 to 120 minute window it would eventually update, but in our case (maybe yours too), it doesn't.
Happy to help :) Took me a while too.
A normal group policy update actually does update the setting correctly, but only to the RSOP store of the Windows Firewall - it doesn't merge it with the ActiveStore!
Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP
Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore
Forcing an update (gpupdate /force) or restarting the MpsSvc will successfully apply it though.
Hey Matthias,
Thank you for this explanation. This just happened to our production SQL cluster. Firewall got turned on, on the active SQL node in the cluster, none of our applications could connect to the database. This really is a pain. It's like some unnecessary solution needs to be created, like a scheduled task, or something to ensure firewall gets turned off after a reboot.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 35%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Well basically what we did was deploy a GPO that sets the following registry key to all machines where the domain profile should be turned off - no more problems since then. :)
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile EnableFirewall REG_DWORD: 0x0 (0)
Hello @Joshua Thompson ,
Thank you for your update.
Would you please check if you restart one machine manually to see if the same issue reoccurs(DOMAIN firewall profile is ON)?
If so, we can try to capture the Process Monitor during you reproduce the issue. Then you can try to analyze the Process Monitor log and find any process or app change the DOMAIN firewall profile.
Or you can check if there is any audit policy to audit DOMAIN firewall profile changes. If so, try to configure the audit policy, then if the issue reoccurs, check the corresponding log.
Hope the information above is helpful.
Thank you for your understanding and support.
Tip: Please kindly remind that since private information and security information may be involved, the forum does not analyze any logs.
Best Regards,
Daisy Zhou
Of course since I have posted this information we have had zero issues with the group policies not applying. It was pretty frequent prior.
The next time it happens I will report back.
Thinking about this more yesterday and I think what I should be trying to trace down is what is actually turning the domain profile firewall back on. I found any changes to the firewall settings are logged in the Event viewer > Application and Service logs > Microsoft > Windows > Windows Firewall with Advanced Security > Firewall.
Supposedly I can look for event ID 2003. This logs firewall profile changes and indicates what the modifying application is.
This could just be not so much that my group policy ISNT applying but rather some other process is manually turning the domain profile back on.
Are you aware of any instances where Microsoft (or another product) will automatically enable the built in firewall?
Hello @Joshua Thompson ,
Thank you for your update.
Are you aware of any instances where Microsoft (or another product) will automatically enable the built in firewall?
It is hard to answer it. I think you may need to monitor via the two methonds I mentioned above.
Best Regards,
Daisy Zhou
Thank you for your assistance.
Hello @Joshua Thompson ,
You are welcome!
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Best Regards,
Daisy Zhou
I am having the EXACT same issue on Windows Server 2016.
Did you ever find the root cause for this strange behavior? Potentially an AV issue?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 45%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Unfortunately I was never able to narrow the problem fix.
I 'believe' this went away when we rolled out 20H2 to all of our workstations.