Windows 7 wireless NIC not initializing before netlogon service

This is an absolute nightmare of an issue with Windows 7 systems that many administrators seem to be dealing with, more so in schools than anywhere because of the high number of laptops connecting to the wireless network.



The problem...

This problem manifests itself in a large number of ways but the main critical problems are.

1. The wireless network doesnt initialize before the netlogon service. This causes the system to be unable to find a domain controller or the domain itself. Resultantly users can't logon or when they do logon they recieve a black windows 7 "temporary desktop". Error messages such as "There are currently no logon servers available to service the logon request" are also common on some specific network adapters.

2. The wireless network doesnt initialize before the group policy service, this causes the system to be unable to enumerate the latest group policies and can cause delays or failures in computer startup scripts.

3. The wireless network doesnt initalize before the app-v services launch, this causes App-V to be unable to connect with the App-V streaming server. In our environment this problem didn't give users any direct error message but they were unable to refresh or view App-V programs. If an administrator issued a policy refresh we recieved error logs containing the following:

3210
{tid=B78}
Attempting Transport Connection URL: RTSP://sgprod.com:554/Visio_Standard_Mi ... 07_MNT.sft Host: sgprod.com:554 IPAddr: 192.168.100.147 Error: 1690910A-00002002


5009
{hap=1A:app=Microsoft Office Visio 2007 Std 12.0:tid=89C}
The Application Virtualization Client could not connect to stream URL 'RTSP://sgprod.com:554/Visio_Standard_Microsoft_2007_MNT/Visio_Standard_Microsoft_2007_MNT.sft' (rc 1690910A-00002002, original rc 1690910A-00002002).


3008
{hap=1A:app=Microsoft Office Visio 2007 Std 12.0:tid=89C}
The client was unable to connect to an Application Virtualization Server (rc 1690910A-00002002)


The root cause...

The problems are caused by the wireless network adapter not initializing early enough in the Windows startup sequence.

In Windows XP a group policy exists called "Computer Configuration\Administrative Templates\System\Logon\Run logon scripts synchronously" this policy would force all the computer startup scripts to complete before the machine presented a logon screen. While this policy does still exist in the group policy console, it does not work on Windows 7, 7 simply ignores this policy. Microsoft describe this as a "security upgrade", they have moved the group policies out of the userinit and into their own service.

Another great Windows XP group policy that simply doesn't work anymore is the "Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon" policy. This policy is meant to do just as its name suggests, force the computer to wait for the network before it allows users to logon. Neither of these policies were able to help me resolve my issues.

This problem is also more prolific in specific network adapters. In our environment we have a number of laptops with Intel 6200 wireless adapters that are causing many more problems than the broadcom and atheros chipset based adapters in other laptops.



The fixes..

After trying all the registry settings provided by other users online, a plethora of group policy options and a number of my own scripts, I found a combination of settings that worked great for me.

Fixing the netlogon service..

As the netlogon service is starting before the wlan service, we need to delay it starting until after the wireless network is online, we can do that with dependencies. If we make the netlogon service dependant on the wireless network service, then it will wait for the wireless network service to start before it initializes itself. I found this was enough to resolve all the "black screens" and "no domain logon servers available" messages I was recieving. You can achieve that by using this command.

sc config netlogon depend= wlansvc/lanmanworkstation

When you resolve the netlogon problem the group policy issues will quickly fall in line behind it. It may not run immediately at startup, but it will run shortly after, normally within a minute or two. I tested on a number of laptops by using a computer startup script to copy a simple file to the destination computer and found most laptops completed the startup script within 1-2 minutes of startup.

Fixing the App-V services..

Fixing App-V is even easier, all we need to do is set both the App-V client services to run "on demand" instead of be an "automatic" service. We can achieve that by using these two commands.

sc config sftvsa start= demand
sc config sftlist start= demand

Now App-V doesn't initalize until its needed, and this is after the wireless lan service and the netlogon service have already started. No more App-V errors!



Applying these fixes on the fly..

As I use SCCM to deploy all the images on my network I simply added all 3 of these commands to a batch file, created a SCCM package and assigned the batch file as the program of the package. Then I added the created program as part of my SCCM image deployment task sequence.



Other fixes that might work..

Other users have reported having success with upgrading network drivers for some Intel wireless NIC's. Unfortunately for my laptops with the Intel 6200 driver I am using the latest 13.5 driver (at the time of writing this article) and still having problems. Of course when I apply my above fixes, these problems go away.



The downfalls..

Unfortunately there doesn't seem to be any definitive fix for ensuring all group policies and computer startup scripts are applied and completed before the logon prompt appears, that functionality is simply gone from Windows 7. For those users relying heavily on computer startup scripts you have two options, to either plug the computer into a wired network or try to migrate as much of that functionality as possible into user logon scripts. User logon scripts always run properly if the netlogon service has been started and detected the domain before the user logs on.


Update - 04/10/2012

I have been running the netlogon dependency change in my environment for nearly 12 months now and it has been working flawlessly. I have found no side-effects and computer logon scripts/GPO have been working consistently over wireless.