I'm trying to troubleshoot some group policy startup processing issues on domain joined, remote computers that establish a Zscaler/VPN connection at startup and before logon. This causes a short delay in domain connectivity that is not typically present when the machine is physically on the network.
I've set a couple of GPOs:
- Always wait for the network at computer startup and logon
- Specify startup policy processing wait time = 60 seconds
This results in the following type of event log entries:
Group Policy waited for 17031 milliseconds for the network subsystem at computer boot.
However, sometimes that number hits 60000 milliseconds which coincides with my GPOs. So, essentially, sometimes GPO detects the "network subsystem" is available, and other times it doesn't. Yet, it always successfully downloads GPOs and applies them after this time.
To try to determine how Group Policy determines network availability, I targeted the netlogon service debug logs thinking that DC discovery and connectivity was coming in to play. But, netlogon indicates successful session setup with a DC at times that do not coincide with the group policy event log entry. For instance, when GP waits 60 seconds, netlogon has already indicated successful connections to domain controllers well before that. Other times when GP waits less than 60 seconds, netlogon has still not completed a successful session to a DC.
How does Group Policy determine when the network subsystem is available?