Windows 11 does not apply group policies at logon when Hardened UNC paths are configured with RequireMutualAuthentication=1 (Computer Configuration/Administrative Templates/Network/Network Provider, Hardened UNC Paths). This works without issues on Windows 10. It appears that access to the SYSVOL share fails during logon. Error 2148073478 / Invalid Signature is logged in the Windows event log for the SYSVOL UNC path. According to https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/error-messages-smb-connections this error is related to the Secure Negotiate feature added to SMB 3.0 in Windows Server 2012 and Windows 8, but that predates Windows 10, which works correctly, and I am fairly certain Samba already supports this SMB3 feature. Tested on 4.21.9 and 4.23.3.
Microsoft Customer Service and Support suggested it might be related to issue #15876, but that does not seem accurate because that security hardening was focused on Samba running as a member server in a Windows Active Directory environment, where Microsoft introduced schannel hardening changes on the server side. Microsoft support declined to investigate further, stating that Samba falls outside their support scope. I understand their position, but I was hoping they could explain why Windows behaves this way and whether SMB3 signing is failing or something else is occurring. I hope dochelp will be more willing to assist with troubleshooting.