netlogon share access denied

Question

Detecting the problem on the user side.

A corporate user is using his domain laptop at home, as a domain user. He remembers that he needs something from the corporate network. He connects to his home network and then logs into the corporate network with cisco secure client VPN. The VPN client indicates that the login was successful. The user has access to all necessary resources, except for the contents of \fqdn.domain.name.com\netlogon. The user interface asks for credentials, but does not accept the entered credentials and indicates that access is denied. The access problem automatically disappears after ~15 minutes. (The user can access all DC netlogon shares even before the 15 minutes have elapsed, using the \fqdn.dc.name.com\netlogon UNC access.)

The background of the problem so far.

If the user tries to access the resources of \fqdn.domain.name.com\netlogon before the DC they want to connect to has a Kerberos ticket, Windows authenticates to the DC using NTLM over the SMB protocol. Since the access is successful, this successful access is cached in the MUP, but the "surrogate provider" in this case is not "DfsClient", but "(null)". However, Windows blocks this access due to the "Hardened UNC" in the absence of an entry covering the existence of mutual authentication. If we delete the MUP cache after ~1 minute, the problem also disappears.

Does anyone know of any MS recommendations for specifically fixing this problem?

(I'm not interested in suggestions like turning off "unc hardering" or running scripts, but for example, is there a reg or GP option to influence this process. They've worked hard to increase security, but some help would be nice on how to use it without problems.)

Thanks!