P
pugmohone
Guest
So I am working on a Windows 10 deployment for a customer. SMB1 is not part of the installed image. They wanted to apply security GPO's which my co-worker applied. We expected issues and that we could resolve the as they came up. We have been struggling with a particular issue for weeks now and feel we are at least getting closer.
Situation:
Random laptops and workstations were not able to log anyone in. We deduced it was because the netlogon service was not running. (Especially frustrating to resolve when everyone is WFH because of COVID)
We created a script to be run to repair the issue on the broken PC's by connecting a Teams session and on all new PC's and all Windows 10 that does the following:
# Set MRxSmb service to Auto Start
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb” -Name “Start” -Type Dword -Value 2 -Force
# Set MRxSmb20 service to Auto Start
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb20” -Name “Start” -Type Dword -Value 2 -Force
# Start MRxSmb Service
Start-Service mrxsmb -Confirm:$false
# Start MRxSmb20 Service
Start-Service mrxsmb20 -Confirm:$false
# Start Workstation Service
Start-Service lanmanworkstation -Confirm:$false
# Start Netlogon Service
Start-Service netlogon -Confirm:$false
# Set Workstation Service Dependencies to Browser, MRxSmb20, and MSI
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\lanmanworkstation” -name “DependOnService” -value “Bowser”, “MRxSmb20”, “NSI” -type MultiString
# Set MRxSmb10 Service to Disabled
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb10” -Name “Start” -Type Dword -Value 4 -Force
# Set Server Parameters SMB1 to Disabled
Set-ItemProperty -Path “HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type Dword -Value 0 -Force
# Set Server Parameters SMB2 to Enabled
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type Dword -Value 1 -Force
We have had some repeat customers, if you will, with the whole netlogon service not running. We were then able to determine that the DependOnService entry for lanmanworkstation was being deleted. Normally it was set to Bowser, MRxSmb20, and NSI.
Looking closer at the GPO's being applied, I found that the following policy was being applied:
Computer Configuration - Policies - Administrative Templates - MS Security Guide - Configure SMB v1 client (extra setting needed for pre-Win8.1 / 2012R2) was being set to Disabled.
In the Description of this policy it clearly states:
WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!
I have changed this policy to Not Configured. Time will tell if this fixes the issue permanently, but i am wondering if anyone has seen this particular GPO cause havoc like deleting the dependency for workstation service? I would really like this issue to go away permanently, and we are 90% sure the deleted entry is what is causing the netlogon service to not start. We are now in the stage of determining why the entry is getting deleted.
I was able to reproduce the issue on a Hyper-V instance of Windows 10 by deleting the dependency registry entry for lanmanworkstation, but needed to fully disable the network connection and restart to see the issue. The script fixes the problem and after a reboot everything is good to go. Not sure if that helps or not.
Any thoughts or hep on this would be greatly appreciated.
Matt Dillon
More...
Situation:
Random laptops and workstations were not able to log anyone in. We deduced it was because the netlogon service was not running. (Especially frustrating to resolve when everyone is WFH because of COVID)
We created a script to be run to repair the issue on the broken PC's by connecting a Teams session and on all new PC's and all Windows 10 that does the following:
# Set MRxSmb service to Auto Start
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb” -Name “Start” -Type Dword -Value 2 -Force
# Set MRxSmb20 service to Auto Start
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb20” -Name “Start” -Type Dword -Value 2 -Force
# Start MRxSmb Service
Start-Service mrxsmb -Confirm:$false
# Start MRxSmb20 Service
Start-Service mrxsmb20 -Confirm:$false
# Start Workstation Service
Start-Service lanmanworkstation -Confirm:$false
# Start Netlogon Service
Start-Service netlogon -Confirm:$false
# Set Workstation Service Dependencies to Browser, MRxSmb20, and MSI
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\lanmanworkstation” -name “DependOnService” -value “Bowser”, “MRxSmb20”, “NSI” -type MultiString
# Set MRxSmb10 Service to Disabled
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\services\mrxsmb10” -Name “Start” -Type Dword -Value 4 -Force
# Set Server Parameters SMB1 to Disabled
Set-ItemProperty -Path “HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type Dword -Value 0 -Force
# Set Server Parameters SMB2 to Enabled
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type Dword -Value 1 -Force
We have had some repeat customers, if you will, with the whole netlogon service not running. We were then able to determine that the DependOnService entry for lanmanworkstation was being deleted. Normally it was set to Bowser, MRxSmb20, and NSI.
Looking closer at the GPO's being applied, I found that the following policy was being applied:
Computer Configuration - Policies - Administrative Templates - MS Security Guide - Configure SMB v1 client (extra setting needed for pre-Win8.1 / 2012R2) was being set to Disabled.
In the Description of this policy it clearly states:
WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!
I have changed this policy to Not Configured. Time will tell if this fixes the issue permanently, but i am wondering if anyone has seen this particular GPO cause havoc like deleting the dependency for workstation service? I would really like this issue to go away permanently, and we are 90% sure the deleted entry is what is causing the netlogon service to not start. We are now in the stage of determining why the entry is getting deleted.
I was able to reproduce the issue on a Hyper-V instance of Windows 10 by deleting the dependency registry entry for lanmanworkstation, but needed to fully disable the network connection and restart to see the issue. The script fixes the problem and after a reboot everything is good to go. Not sure if that helps or not.
Any thoughts or hep on this would be greatly appreciated.
Matt Dillon
More...