In this article we will show a simple way to remotely update group policies on clients (computers and servers) of a domain Active Directory, without having to access the remote machine's console and without using the gpupdate command.

One of the most difficult problems in managing AD group policies is testing policies on the fly, without rebooting the computer or accessing the local computer and running the command.

The Remote Group Policy Update feature provides the ability to use a single GPO management console (GPMC.msc) to create, edit, apply, and test group policies.

The functionality of remote group policy updating first appeared in Microsoft Windows Server 2012, in all subsequent versions (Windows Server 2016, Microsoft Windows 10), this functionality and its stability were gradually improved.

Requirements for Remote Group Policy Update to work:

Server environment requirements:

• Windows Server 2012 and higher
• Or Windows 10 with RSAT management tools installed

Requirements for clients:

• Windows 7 and above

Requirements for network communication (firewalls) between the server and clients

• TCP Port 135 must be open
• Enabled Windows service Management Instrumentation (Windows management service)
• Task Scheduler Service

If your environment meets these requirements, open the Group Policy Management Console (GPMC.msc), select the OU (container) in which the target computers on which you want to force the GPO update are located.

Right click on the right container and select Group Policy Update.

In the window that opens, information will appear on the number of objects in this OU on which the GPO will be updated. To confirm the action, click on the “Yes” button.

In the Remote Group Policy update results window, you will see the status of the policy update, as well as the status of this operation (success/error, error code). Naturally, if a computer is turned off or access to it is restricted by a firewall, a corresponding error will appear.

After GPO changes, it takes some time (90 minutes +/- 30) for them to propagate to other systems, but if they need to be applied urgently, the administrator logs on to the remote system and runs the command “ gpupdate" With a large number of PCs, the process took some time, and the process itself is inconvenient. Now you can forget about it. In the Group Policy Management Console (GPMC), a new item has appeared in the context menu of the domain and organizational unit: “ Group Policy Update” (Group Policy Update) allows you to update system policies starting with Windows Vista/2008 with two mouse clicks. After activating the task, a list of computers and registered users will be received, after which the task “ Gpupdate.exe /force" To avoid network congestion, it will be performed with a random delay in the range of 0-10 minutes. The result of the task is displayed in separate window, the success of the update can be determined using the resulting policy wizard.
The new function also received its own cmdlet - Invoke-GPUpdate, which allows you to remotely update GP and provides even greater capabilities than GPMC. By the way, now 27 cmdlets are responsible for group policies, i.e. one more (get full list you can enter " Get-Command -Module GroupPolicy«).
To immediately update policies on a specific system, just run:

PS> Invoke- GPUpdate - Computer< имя компьютера>

PS> Invoke-GPUpdate -Computer< имя компьютера>

Additional key –RandomDelayInMinutes allows you to set a timeout interval, which is useful if the command will be executed on multiple systems.
But the main thing is that in the GPMC console you can only select a division; there is no separate computers container there. This is where Invoke-GPUpdate comes to the rescue, which, together with the Get-ADComputer cmdlet, allows you to select systems by any criterion:

PS> Get- ADComputer –filter * - Searchbase "cn=computers, dc=example,dc=org"| foreach ( Invoke-GPUpdate –computer$_.name –force –-RandomDelayInMinutes 5)

PS> Get-ADComputer –filter * -Searchbase "cn=computers, dc=example,dc=org" | foreach( Invoke-GPUpdate –computer $_.name –force –-RandomDelayInMinutes 5)

More important point, multiple firewall ports must be opened on client systems. To make life easier for the administrator, MS offered 2 new initial policies (to the 8 existing ones), allowing you to quickly create and distribute required settings:

— Firewall ports for remote group policy updates;
- Firewall ports for Group Policy reports.

Their purpose is clear from the name. We are interested in the first one. We recommend that you create a new GPO and move it to the top, giving it a higher priority than the default domain GPO.
The process is simple. Select the domain and select “Create a GPO in this domain” from the menu. In the window that appears, enter the name and select from the list “Firewall ports for remote Group Policy update.” Alternatively, you can use PowerShell.

Summary: Microsoft Scripting Guy, Ed Wilson shows how to force a Group Policy update using PowerShell.

Updating Group Policy in a Domain

Sometimes I make changes to group policy on the network and I need to apply the changes to all computers. And sometimes I need to update local group policy on my computer.

To update Group Policy settings I use the utility GPUpdate. It has some parameters. By default, the utility updates both the computer and user policies. But this can be controlled using the parameter /target. For example, if I need to update only the computer policy, I will specify /target:computer. To update only the user policy − /target:user.

PS C:\> gpupdate /target:computer

Updating policy…

Default GPUpdate Applies only updated Group Policy settings. To apply all settings, use the parameter /force. The following command updates all Group Policy settings (whether or not they have been changed) for the computer and user.

PS C:\> gpupdate /force

Updating policy…

Computer Policy update has completed successfully.

User Policy update has completed successfully.

First, we get a list of computers in the domain

The first thing I need to do is get a list of all computers in the domain. For this I use the cmdlet Get-ADComputer, part of the Active Directory module.

Note: The Active Directory module is included with RSAT.

I store the resulting computer objects in the $cn variable.

$cn = Get-ADComputer -filt *

Secondly, we create remote sessions

The next thing I need to do is create remote sessions with all computers. To do this, I need to provide credentials to connect to computers, as well as create the sessions themselves using the cmdlet New-PSSession.

To start, I'll use the cmdlet Get-Credentials and store the object returned by it in the $cred variable.

$cred = Get-Credential iammred\administrator

$session = New-PSSession -cn $cn.name -cred $cred

You must remember that there may be computers in the domain that are turned off, so when running the command, errors may be returned. However, despite the mistakes, Windows PowerShell creates sessions with work computers.

The presence of a large number of errors may cause some concern. Since the session objects are stored in the $sessions variable, I can easily verify that they have been created.

Now let's run the command on all remote machines

To run the command GPUpdate on all remote machines I use the cmdlet Invoke-Command. It uses the sessions we saved in the $sessions variable. Alias ​​for the cmdlet Invoke-Command – icm.

icm -Session $session -ScriptBlock (gpupdate /force)

After running the command, the results are displayed in Windows console PowerShell.

Checking for a Group Policy update

When on workstation Group Policy settings are successfully updated and an event with code 1502 is recorded in the System log. I can use the cmdlet Invoke-Command to obtain this information.

icm -Session $session -ScriptBlock (Get-EventLog -LogName system -InstanceId 1502 -Newest 1)

The command and its results are shown in the figure below.

Another interesting thing about Group Policy

Sometimes I have to call tech support and they ask me to update Group Policy on my local computer. This is not a problem since I can run GPUpdate straight from PowerShell. The difficulty comes when they ask me to update Group Policy 5 times at 5 minute intervals. But this can also be solved with one line of code.

1..5 | %("refreshing GP $(Get-Date)"; gpupdate /force ; sleep 300)

Ed Wilson, Microsoft Scripting Guy

Original:

Setting the Windows 10 update policy is setting the way Windows 10 receives updates. In Windows 10, Update settings have been moved from Control Panel to System Settings. In Windows 10, there are no such settings as there were in the Control Panel and therefore it is no longer possible to disable updates or choose how to receive them. However, you can use Registry Editor and Local Group Policy Editor to disable updates and set how you receive them.

Configuring updates using the Local Group Policy Editor

Launch the Local Group Policy Editor by pressing two keys on the keyboard at once WIN+R gpedit.msc and click OK.

Windows 10 update group policy

Computer Configuration - Administrative Templates - Windows Components - Windows Update. Click on the last item Windows Update and then on the right side find the item Settings automatic update and change its settings.

Setting up Windows 10 updates group policies

To do this, in the window that opens, you need to put a dot at the top next to the Enabled item, and then set the update settings below. Click OK. Then for the settings you made to work, open System Settings - Update & Security - Windows Update and press the button Checking for updates.

Once you've finished setting up Windows 10 policies, run the update

After this, the settings you made in the Local Group Policy Editor will take effect.

Setting Up Updates Using Registry Editor

Launch the Registry Editor by pressing two keys on the keyboard at once WIN+R. The Run window will open in which you enter the command regedit and click OK.

Open Registry Editor and create four settings there to manage Windows 10 updates

In the left part of the editor window that opens, expand HKEY_LOCAL_MACHINE - SOFTWARE - Policies - Microsoft - Windows. Hover over the last Windows item and right-click. In the context menu that opens, select Create - Section. Name the new section WindowsUpdate.
Then hover over the newly created WindowsUpdate section and again create a section that you name AU.
Then move the cursor over the newly created AU partition and right-click and select from the menu that opens New - DWORD Value (32-bit). The new created parameter will appear on the right side of the window, name it AUOptions. In the same way, hovering the cursor over the AU section, create three more parameters and name the first one NoAutoUpdate, second ScheduledInstallDay, and the third ScheduledInstallTime(optional NoAutoRebootWithLoggedOnUsers). Now in these four new parameters need to change the value.

For the AUOptions parameter

• 2 - Receive a notification before installing and downloading any updates.
• 3 - Automatically receive updates and notifications when they are ready for installation.
• 4 - Automatically receive and install updates according to a specified schedule.
• 5 - Allow local administrators to choose the update mode and notifications themselves.

For the NoAutoUpdate parameter

• 0 — Enabled automatic installation updates that will be downloaded and installed depending on the settings made in the AUOptions parameter.
• 1 — Automatic installation of updates is disabled.

For the ScheduledInstallDay parameter

• 0—updates will be installed daily if the AUOptions parameter is set to 4.
• 1—updates will be installed every Monday if the AUOptions parameter is set to 4.
• 2 — updates will be installed every Tuesday with the AUOptions parameter set to 4.
• 3 — updates will be installed every Wednesday with the AUOptions parameter set to 4.
• 4—updates will be installed every Thursday if the AUOptions parameter is set to 4.
• 5 — updates will be installed every Friday if the AUOptions parameter is set to 4.
• 6 — updates will be installed every Saturday if the AUOptions parameter is set to 4.
• 7 — updates will be installed every Sunday if the AUOptions parameter is set to 4.

For the ScheduledInstallTime parameter

From 0 to 23, updates will be installed in as many hours depending on the set parameter and if the AUOptions parameter is set to 4.

For the NoAutoRebootWithLoggedOnUsers parameter

• 0 — When the update installation is complete, the computer will automatically reboot; it works with the AUOptions parameter set to 4.
• 1 - When the update installation is complete, the computer will not reboot automatically; it works with the AUOptions parameter set to 4.