With the deployment of Windows 11 24H2, you may have group policy application issues, which is visible by running the gpupdate command.
Error message:
Computer policy could not be updated successfully. The following errors were encountered:
Group Policy processing failed. Windows could not resolve the computer name. This could be due to one of the following reasons:
a) Name resolution failed on the current domain controller.
b) Active Directory replication latency (an account created on another domain controller was not replicated to the current domain controller).
User policy could not be updated successfully. The following errors were encountered:
Group Policy processing failed. Windows could not authenticate with the Active Directory service on a domain controller. (LDAP Bind function call failed). See the Details tab for the error code and description.
To diagnose the failure, check the event log or run GPRESULT /H GPReport.htm
As is often the case, when you get this message, you quickly think of a DNS problem that does not resolve the Active Directory domain name.
With Windows 11 24H2, the problem does not come from there, but from the type of encryption of Kerberos Tickets, with this new version of Windows 11, AES encryption (AES128_HMAC_SHA1 and AES256_HMAC_SHA1) must be enabled in the Kerberos encryption types.
In Active Directory environments that have been around for several years, it is not uncommon to find a Group Policy that configures the encryption types for Kerberos and is configured with AES ciphers disabled.
To resolve this issue, support for AES128_HMAC_SHA1 and AES256_HMAC_SHA1 encryption must be enabled.
Before you configure Group Policy for computers and servers in your environment, you must ensure that your domain controllers also support these types of encryption.
Once this verification is done, you will be able to activate these types of encryption for your entire fleet.
You can find the setting: Network Security: Configure allowed encryption types for Kerberos in the following location: Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options.
Configure the setting to enable support for AES128_HMAC_SHA1, AES256_HMAC_SHA1 and Future cipher types.
If you also have older types of encryption, you should plan to disable them if possible.
This manipulation may have side effects, because once applied at the computer level, there may be authentication problems, especially at the user level when it locks their session, when they try to unlock their computers, they will have a message indicating that their password is not correct, to resolve the problem, the computer must be restarted.
For my part, here is how I proceeded:
- Message to all users asking them not to turn off their computer in the evening.
- Group Policy Deployment at 7:00 PM.
- 1st restart of computers at 4:30 a.m.
- 2nd restart of the computers at 6am.
With this method, we had almost no side effects.
To schedule a reboot, you can go through a third-party tool if you have one or deploy scheduled tasks by group policy.