Netlogon errors with Horizon Instant-Clones

The last couple of months I’ve been working on a project with Windows 10 (1607) and Horizon View 7.1.  All desktops are being provisioned with the Instant-Clone technology.
I must say that I was skeptical at first about deploying Windows 10 in an enterprise organization.
Of course there are still some issues and “bugs”, but for now all looks fine!

About the issue:
We deployed desktop pools based on Instant-Clones, but we quickly got feedback from several users that they where missing; mappings, personal settings and printers. But the strange thing was that not everybody was experiencing this issue.

Note: I did not experienced these issues with Linked-Clone pools.

So the first thing that I did was logon multiple times to experience the issue.
After my third logon I noticed the following things:
• No Group Policy`s
• No UEM ( of course )

Opening the event viewer showed me the following error:
“Netlogon Error 5719”

Besides of Netlogon there were three more errors (all related to Netlogon):

My first thoughts where that Instant-Clones was too quick for the Active Directory to keep up.
So I checked the Domain Controllers (intra/intersite replication), DNS, DHCP and Group Policy`s.
While noticing and resolving the following points, I thought that this must do the trick.
• DNS-records missing (Domain Controllers)
• DHCP-scopes with wrong DNS servers
• Missing Reverse DNS

The first tests where positive, but after a few hours the first users experienced the same errors (again).

So what`s next… Google, what else…
After reading about 100 blogs and even more pages I bumped into an subject called “UNC hardening” on Windows 10 (MS KB3000483). In my case we had to change the RequireMutualAuthentication for both the Netlogon and Sysvol locations. I placed the following two registry settings in the Windows 10 ParentVM (golden image).

%COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v “\\*\SYSVOL” /d “RequireMutualAuthentication=0” /t REG_SZ

%COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v “\\*\NETLOGON” /d “RequireMutualAuthentication=0” /t REG_SZ

After placing the regkeys the registry looks like this:

After placing these keys in the template, we sealed it and republished the desktop pools.
Now, running two weeks with these keys all problems are solved!

Leave a Reply

Your email address will not be published. Required fields are marked *