GPO Wireless Settings Disappearing

Hello All

I am having a strange and random problem with our wireless enabled machines.
All of our wireless settings are controlled by a wireless gpo. All of our
computers/laptops are Windows XP with SP2. Each client has KB893357-v2 and
KB917021-v3 hotfixes applied. We are using Windows 2003 Standard servers
with IAS and server specific certificates.

We have a selection of machines for whatever reason that appear to be losing
their GPO'd controlled settings, which then means they are not able to
connect to the network!

Has anyone experienced this problem before or can someone suggest anything
that we could do to rectify the problem?

Any help is appreciated.

Phill

We need more information to help. What does the GPO do? Is local policy or
domain policy?

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"SCL" <(E-Mail Removed)> wrote in message
news:8B5CF67D-1646-4AB3-B0BF-(E-Mail Removed)...
> Hello All
>
> I am having a strange and random problem with our wireless enabled
> machines.
> All of our wireless settings are controlled by a wireless gpo. All of our
> computers/laptops are Windows XP with SP2. Each client has KB893357-v2
> and
> KB917021-v3 hotfixes applied. We are using Windows 2003 Standard servers
> with IAS and server specific certificates.
>
> We have a selection of machines for whatever reason that appear to be
> losing
> their GPO'd controlled settings, which then means they are not able to
> connect to the network!
>
> Has anyone experienced this problem before or can someone suggest anything
> that we could do to rectify the problem?
>
> Any help is appreciated.
>
> Phill

Sorry for the long reply but below is the contents of the policies that we
are using. These policies are enforced on all machines and it is only a
small handful of machines that are having the problem. One day they are
working and the next they are not.

We are using two policies for the wireless and I believe all are domain
policies.

The first GPO we have called Wi-Fi3 WPA2. The settings for this are as
follows:

Computer Configuration (Enabled) > Windows Settings > Wireless Network >
General >
Name Wi-Fi 3 WPA2
Description Third POLICY
Check for policy changes every 180 minutes
Networks to access Access point (infrastructure) networks only
Use Windows to configure wireless network settings for clients
Enabled
Automatically connect to non-preferred networks Disabled

The following settings have been made using Vista to amend the WiFi 3 WPA2
policy as XP doesn't have a policy for WPA2.

Global Settings >
Use Windows wireless LAN network services for clients Enabled
Allow user to view denied networks Enabled
Allow everyone to create all user profiles Enabled

Network Filters >
Use Windows wireless LAN network services for clients Enabled
Allow user to view denied networks Enabled
Allow everyone to create all user profiles Enabled

Preferred Network Profiles > OUR NETWORK NAME
Use Windows wireless LAN network services for clients Enabled
Allow user to view denied networks Enabled
Allow everyone to create all user profiles Enabled

Security Settings >
Authentication WPA2
Encryption AES
Use 802.1X Enabled
Pairwise Master Key (PMK) Caching Enabled
PMK Time-to-Live (minutes) 720
Number of Entries in PMK Cache 128
Use Network Pre-authentication Disabled

IEEE 802.1X Settings >
Computer Authentication User re-authentication
Maximum EAPOL-Start Messages Sent 3
Held Period (seconds) 1
Start Period (seconds) 5
Authentication Period (seconds) 18

The PKI Policy is as follows:

Computer Configuration (Enabled) > Windows Settings > Security Settings >
Public Key Policies/Autoenrollment Settings >
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove
revoked certificates Disabled
Update certificates that use certificate templates Disabled

Public Key Policies/Encrypting File System
Allow users to encrypt files using Encrypting File System (EFS)
Enabled

Public Key Policies/Trusted Root Certification Authorities
Allow users to select new root certification authorities (CAs) to
trust Enabled
Client computers can trust the following certificate stores
Third-Party Root Certification Authorities and Enterprise Root Certification
Authorities
To perform certificate-based authentication of users and computers,
CAs must meet the following criteria Registered in Active Directory only

Certificates
This lists the trusted certificates that each client must have to connect to
the network

I hope this is enough information as I couldn't extract anymore out of the
GPO's. If you need anymore information please let me know.

Phill

"Robert L. (MS-MVP)" wrote:

> We need more information to help. What does the GPO do? Is local policy or
> domain policy?
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "SCL" <(E-Mail Removed)> wrote in message
> news:8B5CF67D-1646-4AB3-B0BF-(E-Mail Removed)...
> > Hello All
> >
> > I am having a strange and random problem with our wireless enabled
> > machines.
> > All of our wireless settings are controlled by a wireless gpo. All of our
> > computers/laptops are Windows XP with SP2. Each client has KB893357-v2
> > and
> > KB917021-v3 hotfixes applied. We are using Windows 2003 Standard servers
> > with IAS and server specific certificates.
> >
> > We have a selection of machines for whatever reason that appear to be
> > losing
> > their GPO'd controlled settings, which then means they are not able to
> > connect to the network!
> >
> > Has anyone experienced this problem before or can someone suggest anything
> > that we could do to rectify the problem?
> >
> > Any help is appreciated.
> >
> > Phill
>
>

Can the problematic computers connect to the wireless? If not, any errors in
the IAS event viewer?

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"SCL" <(E-Mail Removed)> wrote in message
news:122F6E59-35D8-4FEC-92C1-(E-Mail Removed)...
> Sorry for the long reply but below is the contents of the policies that we
> are using. These policies are enforced on all machines and it is only a
> small handful of machines that are having the problem. One day they are
> working and the next they are not.
>
> We are using two policies for the wireless and I believe all are domain
> policies.
>
> The first GPO we have called Wi-Fi3 WPA2. The settings for this are as
> follows:
>
> Computer Configuration (Enabled) > Windows Settings > Wireless Network >
> General >
> Name Wi-Fi 3 WPA2
> Description Third POLICY
> Check for policy changes every 180 minutes
> Networks to access Access point (infrastructure) networks only
> Use Windows to configure wireless network settings for clients
> Enabled
> Automatically connect to non-preferred networks Disabled
>
> The following settings have been made using Vista to amend the WiFi 3 WPA2
> policy as XP doesn't have a policy for WPA2.
>
> Global Settings >
> Use Windows wireless LAN network services for clients Enabled
> Allow user to view denied networks Enabled
> Allow everyone to create all user profiles Enabled
>
> Network Filters >
> Use Windows wireless LAN network services for clients Enabled
> Allow user to view denied networks Enabled
> Allow everyone to create all user profiles Enabled
>
> Preferred Network Profiles > OUR NETWORK NAME
> Use Windows wireless LAN network services for clients Enabled
> Allow user to view denied networks Enabled
> Allow everyone to create all user profiles Enabled
>
> Security Settings >
> Authentication WPA2
> Encryption AES
> Use 802.1X Enabled
> Pairwise Master Key (PMK) Caching Enabled
> PMK Time-to-Live (minutes) 720
> Number of Entries in PMK Cache 128
> Use Network Pre-authentication Disabled
>
> IEEE 802.1X Settings >
> Computer Authentication User re-authentication
> Maximum EAPOL-Start Messages Sent 3
> Held Period (seconds) 1
> Start Period (seconds) 5
> Authentication Period (seconds) 18
>
> The PKI Policy is as follows:
>
> Computer Configuration (Enabled) > Windows Settings > Security Settings >
> Public Key Policies/Autoenrollment Settings >
> Enroll certificates automatically Enabled
> Renew expired certificates, update pending certificates, and
> remove
> revoked certificates Disabled
> Update certificates that use certificate templates Disabled
>
> Public Key Policies/Encrypting File System
> Allow users to encrypt files using Encrypting File System (EFS)
> Enabled
>
> Public Key Policies/Trusted Root Certification Authorities
> Allow users to select new root certification authorities (CAs) to
> trust Enabled
> Client computers can trust the following certificate stores
> Third-Party Root Certification Authorities and Enterprise Root
> Certification
> Authorities
> To perform certificate-based authentication of users and
> computers,
> CAs must meet the following criteria Registered in Active Directory only
>
> Certificates
> This lists the trusted certificates that each client must have to connect
> to
> the network
>
> I hope this is enough information as I couldn't extract anymore out of the
> GPO's. If you need anymore information please let me know.
>
> Phill
>
> "Robert L. (MS-MVP)" wrote:
>
>> We need more information to help. What does the GPO do? Is local policy
>> or
>> domain policy?
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>> "SCL" <(E-Mail Removed)> wrote in message
>> news:8B5CF67D-1646-4AB3-B0BF-(E-Mail Removed)...
>> > Hello All
>> >
>> > I am having a strange and random problem with our wireless enabled
>> > machines.
>> > All of our wireless settings are controlled by a wireless gpo. All of
>> > our
>> > computers/laptops are Windows XP with SP2. Each client has KB893357-v2
>> > and
>> > KB917021-v3 hotfixes applied. We are using Windows 2003 Standard
>> > servers
>> > with IAS and server specific certificates.
>> >
>> > We have a selection of machines for whatever reason that appear to be
>> > losing
>> > their GPO'd controlled settings, which then means they are not able to
>> > connect to the network!
>> >
>> > Has anyone experienced this problem before or can someone suggest
>> > anything
>> > that we could do to rectify the problem?
>> >
>> > Any help is appreciated.
>> >
>> > Phill
>>
>>

The problematic computers can connect when they have the GPO's, the problem
happens when the GPO's themselves seem to be removed from the machines for no
reason.

The stupidity of it is, the computers have been working for
days/weeks/months without problem and then the user logs onto their machine
and for whatever reason the machine doesn't receive/keep the GPO's that have
been applied for the wireless.

We know the machines have kept other GPO's for example we GPO the Windows
Firewall and these machines still have the correct settings.

Phill

"Robert L. (MS-MVP)" wrote:

> Can the problematic computers connect to the wireless? If not, any errors in
> the IAS event viewer?
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "SCL" <(E-Mail Removed)> wrote in message
> news:122F6E59-35D8-4FEC-92C1-(E-Mail Removed)...
> > Sorry for the long reply but below is the contents of the policies that we
> > are using. These policies are enforced on all machines and it is only a
> > small handful of machines that are having the problem. One day they are
> > working and the next they are not.
> >
> > We are using two policies for the wireless and I believe all are domain
> > policies.
> >
> > The first GPO we have called Wi-Fi3 WPA2. The settings for this are as
> > follows:
> >
> > Computer Configuration (Enabled) > Windows Settings > Wireless Network >
> > General >
> > Name Wi-Fi 3 WPA2
> > Description Third POLICY
> > Check for policy changes every 180 minutes
> > Networks to access Access point (infrastructure) networks only
> > Use Windows to configure wireless network settings for clients
> > Enabled
> > Automatically connect to non-preferred networks Disabled
> >
> > The following settings have been made using Vista to amend the WiFi 3 WPA2
> > policy as XP doesn't have a policy for WPA2.
> >
> > Global Settings >
> > Use Windows wireless LAN network services for clients Enabled
> > Allow user to view denied networks Enabled
> > Allow everyone to create all user profiles Enabled
> >
> > Network Filters >
> > Use Windows wireless LAN network services for clients Enabled
> > Allow user to view denied networks Enabled
> > Allow everyone to create all user profiles Enabled
> >
> > Preferred Network Profiles > OUR NETWORK NAME
> > Use Windows wireless LAN network services for clients Enabled
> > Allow user to view denied networks Enabled
> > Allow everyone to create all user profiles Enabled
> >
> > Security Settings >
> > Authentication WPA2
> > Encryption AES
> > Use 802.1X Enabled
> > Pairwise Master Key (PMK) Caching Enabled
> > PMK Time-to-Live (minutes) 720
> > Number of Entries in PMK Cache 128
> > Use Network Pre-authentication Disabled
> >
> > IEEE 802.1X Settings >
> > Computer Authentication User re-authentication
> > Maximum EAPOL-Start Messages Sent 3
> > Held Period (seconds) 1
> > Start Period (seconds) 5
> > Authentication Period (seconds) 18
> >
> > The PKI Policy is as follows:
> >
> > Computer Configuration (Enabled) > Windows Settings > Security Settings >
> > Public Key Policies/Autoenrollment Settings >
> > Enroll certificates automatically Enabled
> > Renew expired certificates, update pending certificates, and
> > remove
> > revoked certificates Disabled
> > Update certificates that use certificate templates Disabled
> >
> > Public Key Policies/Encrypting File System
> > Allow users to encrypt files using Encrypting File System (EFS)
> > Enabled
> >
> > Public Key Policies/Trusted Root Certification Authorities
> > Allow users to select new root certification authorities (CAs) to
> > trust Enabled
> > Client computers can trust the following certificate stores
> > Third-Party Root Certification Authorities and Enterprise Root
> > Certification
> > Authorities
> > To perform certificate-based authentication of users and
> > computers,
> > CAs must meet the following criteria Registered in Active Directory only
> >
> > Certificates
> > This lists the trusted certificates that each client must have to connect
> > to
> > the network
> >
> > I hope this is enough information as I couldn't extract anymore out of the
> > GPO's. If you need anymore information please let me know.
> >
> > Phill
> >
> > "Robert L. (MS-MVP)" wrote:
> >
> >> We need more information to help. What does the GPO do? Is local policy
> >> or
> >> domain policy?
> >>
> >> --
> >> Bob Lin, MS-MVP, MCSE & CNE
> >> Networking, Internet, Routing, VPN Troubleshooting on
> >> http://www.ChicagoTech.net
> >> How to Setup Windows, Network, VPN & Remote Access on
> >> http://www.HowToNetworking.com
> >> "SCL" <(E-Mail Removed)> wrote in message
> >> news:8B5CF67D-1646-4AB3-B0BF-(E-Mail Removed)...
> >> > Hello All
> >> >
> >> > I am having a strange and random problem with our wireless enabled
> >> > machines.
> >> > All of our wireless settings are controlled by a wireless gpo. All of
> >> > our
> >> > computers/laptops are Windows XP with SP2. Each client has KB893357-v2
> >> > and
> >> > KB917021-v3 hotfixes applied. We are using Windows 2003 Standard
> >> > servers
> >> > with IAS and server specific certificates.
> >> >
> >> > We have a selection of machines for whatever reason that appear to be
> >> > losing
> >> > their GPO'd controlled settings, which then means they are not able to
> >> > connect to the network!
> >> >
> >> > Has anyone experienced this problem before or can someone suggest
> >> > anything
> >> > that we could do to rectify the problem?
> >> >
> >> > Any help is appreciated.
> >> >
> >> > Phill
> >>
> >>
>
>

Forgot to mention there are no entries in the IAS logs when these computers
fail to connect due to no wireless settings.

"SCL" wrote:

> The problematic computers can connect when they have the GPO's, the problem
> happens when the GPO's themselves seem to be removed from the machines for no
> reason.
>
> The stupidity of it is, the computers have been working for
> days/weeks/months without problem and then the user logs onto their machine
> and for whatever reason the machine doesn't receive/keep the GPO's that have
> been applied for the wireless.
>
> We know the machines have kept other GPO's for example we GPO the Windows
> Firewall and these machines still have the correct settings.
>
> Phill
>
> "Robert L. (MS-MVP)" wrote:
>
> > Can the problematic computers connect to the wireless? If not, any errors in
> > the IAS event viewer?
> >
> > --
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on
> > http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on
> > http://www.HowToNetworking.com
> > "SCL" <(E-Mail Removed)> wrote in message
> > news:122F6E59-35D8-4FEC-92C1-(E-Mail Removed)...
> > > Sorry for the long reply but below is the contents of the policies that we
> > > are using. These policies are enforced on all machines and it is only a
> > > small handful of machines that are having the problem. One day they are
> > > working and the next they are not.
> > >
> > > We are using two policies for the wireless and I believe all are domain
> > > policies.
> > >
> > > The first GPO we have called Wi-Fi3 WPA2. The settings for this are as
> > > follows:
> > >
> > > Computer Configuration (Enabled) > Windows Settings > Wireless Network >
> > > General >
> > > Name Wi-Fi 3 WPA2
> > > Description Third POLICY
> > > Check for policy changes every 180 minutes
> > > Networks to access Access point (infrastructure) networks only
> > > Use Windows to configure wireless network settings for clients
> > > Enabled
> > > Automatically connect to non-preferred networks Disabled
> > >
> > > The following settings have been made using Vista to amend the WiFi 3 WPA2
> > > policy as XP doesn't have a policy for WPA2.
> > >
> > > Global Settings >
> > > Use Windows wireless LAN network services for clients Enabled
> > > Allow user to view denied networks Enabled
> > > Allow everyone to create all user profiles Enabled
> > >
> > > Network Filters >
> > > Use Windows wireless LAN network services for clients Enabled
> > > Allow user to view denied networks Enabled
> > > Allow everyone to create all user profiles Enabled
> > >
> > > Preferred Network Profiles > OUR NETWORK NAME
> > > Use Windows wireless LAN network services for clients Enabled
> > > Allow user to view denied networks Enabled
> > > Allow everyone to create all user profiles Enabled
> > >
> > > Security Settings >
> > > Authentication WPA2
> > > Encryption AES
> > > Use 802.1X Enabled
> > > Pairwise Master Key (PMK) Caching Enabled
> > > PMK Time-to-Live (minutes) 720
> > > Number of Entries in PMK Cache 128
> > > Use Network Pre-authentication Disabled
> > >
> > > IEEE 802.1X Settings >
> > > Computer Authentication User re-authentication
> > > Maximum EAPOL-Start Messages Sent 3
> > > Held Period (seconds) 1
> > > Start Period (seconds) 5
> > > Authentication Period (seconds) 18
> > >
> > > The PKI Policy is as follows:
> > >
> > > Computer Configuration (Enabled) > Windows Settings > Security Settings >
> > > Public Key Policies/Autoenrollment Settings >
> > > Enroll certificates automatically Enabled
> > > Renew expired certificates, update pending certificates, and
> > > remove
> > > revoked certificates Disabled
> > > Update certificates that use certificate templates Disabled
> > >
> > > Public Key Policies/Encrypting File System
> > > Allow users to encrypt files using Encrypting File System (EFS)
> > > Enabled
> > >
> > > Public Key Policies/Trusted Root Certification Authorities
> > > Allow users to select new root certification authorities (CAs) to
> > > trust Enabled
> > > Client computers can trust the following certificate stores
> > > Third-Party Root Certification Authorities and Enterprise Root
> > > Certification
> > > Authorities
> > > To perform certificate-based authentication of users and
> > > computers,
> > > CAs must meet the following criteria Registered in Active Directory only
> > >
> > > Certificates
> > > This lists the trusted certificates that each client must have to connect
> > > to
> > > the network
> > >
> > > I hope this is enough information as I couldn't extract anymore out of the
> > > GPO's. If you need anymore information please let me know.
> > >
> > > Phill
> > >
> > > "Robert L. (MS-MVP)" wrote:
> > >
> > >> We need more information to help. What does the GPO do? Is local policy
> > >> or
> > >> domain policy?
> > >>
> > >> --
> > >> Bob Lin, MS-MVP, MCSE & CNE
> > >> Networking, Internet, Routing, VPN Troubleshooting on
> > >> http://www.ChicagoTech.net
> > >> How to Setup Windows, Network, VPN & Remote Access on
> > >> http://www.HowToNetworking.com
> > >> "SCL" <(E-Mail Removed)> wrote in message
> > >> news:8B5CF67D-1646-4AB3-B0BF-(E-Mail Removed)...
> > >> > Hello All
> > >> >
> > >> > I am having a strange and random problem with our wireless enabled
> > >> > machines.
> > >> > All of our wireless settings are controlled by a wireless gpo. All of
> > >> > our
> > >> > computers/laptops are Windows XP with SP2. Each client has KB893357-v2
> > >> > and
> > >> > KB917021-v3 hotfixes applied. We are using Windows 2003 Standard
> > >> > servers
> > >> > with IAS and server specific certificates.
> > >> >
> > >> > We have a selection of machines for whatever reason that appear to be
> > >> > losing
> > >> > their GPO'd controlled settings, which then means they are not able to
> > >> > connect to the network!
> > >> >
> > >> > Has anyone experienced this problem before or can someone suggest
> > >> > anything
> > >> > that we could do to rectify the problem?
> > >> >
> > >> > Any help is appreciated.
> > >> >
> > >> > Phill
> > >>
> > >>
> >
> >