After installing Symantec Endpoint Protection 12.1 with Network Threat Protection, or at least the Firewall feature, Windows clients fail to process group policies during startup. The associated group policy configuration has an advanced amount of settings being applied, possibly including the distribution of software packages.

Windows System Event Log may show event ID 5719 (No Domain Controller is available...) Windows Application Event Log shows event ID 1054 (Windows cannot obtain the domain controller name...) and event ID 1000 (Could not execute the following script...) from subsequently failing logon scripts.

This behavior is not caused by Symantec Endpoint Protection blocking certain domain controller traffic. Adding an additional component to the network stack, like the Symantec Endpoint Protection firewall, may exceed standard timeouts during Windows startup, so that certain actions like applying group policies fail.

Event ID 5719 could be caused by the Netlogon service starting before the network is ready. This is typically not a problem as the connection is retried later on once the network becomes available. Microsoft's knowledge base article KB938449 lists possible causes and solutions.

To allow more time for group policy processing, a higher timeout (e.g. 60s) can be set via GpNetworkStartTimeoutPolicyValue in the registry at

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue

on Windows XP, Windows Server 2003 or

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue

on Windows 7, Windows Server 2008

See Micosoft's knowledge base at KB840669 or KB2421599 for further information.