netsh fail on update to 2.6 with DCO under Windows system account

[TitovLab]

Describe the bug
If version 2.5.9 is updated to version 2.6.2, then until the next Windows restart, neither OpenVPNService nor OpenVPN GUI can set TCP/IP settings on the DCO adapter if the update was installed in unattended mode under the Windows system account (for example, through Active Directory via group policies).
Restarting OpenVPNService and OpenVPNServiceInteractive does not help.

If the update is done manually under the administrator account in interactive mode, then everything goes smoothly: the installer breaks the connection through the TAP adapter and immediately launches a new one through DCO, no reboot is required.

If the update is done manually under the administrator, but in unattended mode (msiexec /i OpenVPN-2.6.2-I001-amd64.msi /qn /l*v log.txt), then the system goes into reboot during installation, after which everything is working.

To Reproduce

1. Install OpenVPN-2.5.9-I601-amd64 with OpenVPNService
2. Add config to config-auto folder (no WinTUN, only TAP adapter)
3. Restart OpenVPNService
4. Install update to any 2.6.x version with DCO in unattended mode under Windows system account (for example: run psexec -i -s cmd.exe and then in system console msiexec /i OpenVPN-2.6.2-I001-amd64.msi /qn /l*v log.txt)

Expected behavior
Successful connection after update to 2.6.x with DCO.

Version information (please complete the following information):

• OS: Windows 10 19045.2728
• OpenVPN version: OpenVPN-2.5.9-I601-amd64 and OpenVPN-2.6.2-I001-amd64

Additional context
OpenVPN log:

2023-04-04 16:01:58 OpenVPN 2.6.2 [git:v2.6.2/3577442530eb7830] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 24 2023
2023-04-04 16:01:58 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-04-04 16:01:58 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-04 16:01:58 DCO version: v0
2023-04-04 16:01:58 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
2023-04-04 16:01:58 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-04-04 16:01:58 TCP_CLIENT link local: (not bound)
2023-04-04 16:01:58 TCP_CLIENT link remote: [AF_INET]111.111.111.111:1194
2023-04-04 16:01:58 TLS: Initial packet from [AF_INET]111.111.111.111:1194, sid=ee9d5252 7f7e9ecf
2023-04-04 16:01:58 VERIFY OK: depth=1, C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX CA, name=EasyRSA, emailAddress=xx@xx.com
2023-04-04 16:01:58 VERIFY KU OK
2023-04-04 16:01:58 Validating certificate extended key usage
2023-04-04 16:01:58 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-04-04 16:01:58 NOTE: --mute triggered...
2023-04-04 16:01:58 3 variation(s) on previous 20 message(s) suppressed by --mute
2023-04-04 16:01:58 [lin3.domain.local] Peer Connection Initiated with [AF_INET]111.111.111.111:1194
2023-04-04 16:01:58 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-04-04 16:01:58 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-04-04 16:02:00 SENT CONTROL [lin3.domain.local]: 'PUSH_REQUEST' (status=1)
2023-04-04 16:02:00 PUSH: Received control message: 'PUSH_REPLY,persist-key,topology subnet,route 192.168.122.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.21.0 255.255.255.0,route 192.168.22.0 255.255.255.0,route 192.168.23.0 255.255.255.0,route-gateway 10.122.0.1,route-metric 405,dhcp-option DNS 192.168.20.3,dhcp-option DNS 192.168.21.3,dhcp-option DOMAIN corp.local,ping 10,ping-restart 120,ifconfig 10.122.0.22 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-04-04 16:02:00 OPTIONS IMPORT: --persist options modified
2023-04-04 16:02:00 OPTIONS IMPORT: --ifconfig/up options modified
2023-04-04 16:02:00 OPTIONS IMPORT: route options modified
2023-04-04 16:02:00 OPTIONS IMPORT: route-related options modified
2023-04-04 16:02:00 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-04-04 16:02:00 interactive service msg_channel=0
2023-04-04 16:02:00 NETSH: C:\Windows\system32\netsh.exe interface ip set address 15 static 10.122.0.22 255.255.255.0
2023-04-04 16:02:00 ERROR: netsh command failed: returned error code 1
2023-04-04 16:02:04 NETSH: C:\Windows\system32\netsh.exe interface ip set address 15 static 10.122.0.22 255.255.255.0
2023-04-04 16:02:04 ERROR: netsh command failed: returned error code 1
2023-04-04 16:02:08 NETSH: C:\Windows\system32\netsh.exe interface ip set address 15 static 10.122.0.22 255.255.255.0
2023-04-04 16:02:08 ERROR: netsh command failed: returned error code 1
2023-04-04 16:02:12 NETSH: C:\Windows\system32\netsh.exe interface ip set address 15 static 10.122.0.22 255.255.255.0
2023-04-04 16:02:13 ERROR: netsh command failed: returned error code 1
2023-04-04 16:02:17 NETSH: command failed
2023-04-04 16:02:17 Exiting due to fatal error

Client config:

dev tun
client
proto tcp-client
remote 111.111.111.111 1194
resolv-retry infinite
nobind
ca ca.crt
cert XX.crt
key XX.key
remote-cert-tls server
tls-client
cipher AES-256-GCM
verb 3
mute 20
pull
allow-pull-fqdn

MSI log (updating from 2.5.9 to 2.6.2 in unattended mode under the Windows system account):
to262.txt

[selvanair]

Looks like DCO adapter is not fully setup and causes the netsh failure. Does a reboot fix it?
Possibly the installer is not scheduling a required reboot? But, I couldn't reproduce this by moving from 2.5.9 to 2.6.2 installed as system as described here.

In any case, this is likely an installation issue -- may be moved to openvpn-build?

[TitovLab]

Yes, reboot fix it.
The error is reproduced, did you definitely use unattended mode (/qn switch) when installing the update under Windows system account?

[TitovLab]

In latest version 2.6.3 the bug also occurs:
Steps to reproduce:

1. Install OpenVPN-2.5.9-I601-amd64 with OpenVPNService
2. Add config to config-auto folder (no WinTUN, only TAP adapter)
3. Restart OpenVPNService
4. Install update to 2.6.3 version with DCO in unattended mode under Windows system account (for example: run psexec -i -s cmd.exe and then in the opened system console window run msiexec /i OpenVPN-2.6.3-I001-amd64.msi /qn /l*v log.txt)