gpo update. How to update group policy on a Windows computer? Restart and Shutdown Options

After GPO changes, it takes some time (90 minutes +/- 30) until they propagate to other systems, but if they need to be applied urgently, the admin logged on to the remote system and executed the command “ gpupdate". With a large number of PCs, the process took some time, and the process itself is inconvenient. Now you can forget about it. In the Group Policy Management Console (GPMC), a new item has appeared in the context menu of the domain and organizational unit “ Update group policy ” (Group Policy Update) allows you to update system policies starting with Windows Vista / 2008 with two mouse clicks. After activating the task, a list of computers and registered users will be obtained, after which the task “ Gpupdate.exe /force". To avoid network congestion, it will run with a random delay between 0-10 minutes. The result of the task execution is displayed in a separate window, the success of the update can be determined using the Resultant Policy Wizard.
The new function also received its own cmdlet - Invoke-GPUpdate, which allows you to update the GP remotely and provides even more features than GPMC. By the way, now 27 cmdlets are responsible for group policies. one more (get full list you can enter " Get-Command -Module GroupPolicy«).
To immediately update policies on a specific system, just run:

PS> Invoke-GPUpdate-Computer< имя компьютера>

PS> Invoke-GPUpdate -Computer< имя компьютера>

Additional key –RandomDelayInMinutes allows you to set a timeout interval, which is useful if the command will be executed on multiple systems.
But most importantly, in the GPMC console, you can only select a department, there is no separate container for computers. This is where Invoke-GPUpdate comes to the rescue, which, together with the Get-ADComputer cmdlet, allows you to select systems by any criterion:

PS> Get- ADComputer --filter * -Searchbase "cn=computers,dc=example,dc=org"| foreach ( Invoke- GPUpdate --computer $_ .name --force --- RandomDelayInMinutes 5 )

PS> Get-ADComputer –filter * -Searchbase "cn=computers, dc=example,dc=org" | foreach( Invoke-GPUpdate --computer $_.name --force --RandomDelayInMinutes 5)

Yet important point, several firewall ports must be opened on client systems. To make life easier for the admin, MS offered 2 new initial policies (to the 8 available), allowing you to quickly create and distribute the necessary settings:

- Firewall ports for remote group policy updates;
- Firewall ports for Group Policy reporting.

Their purpose is clear from the name. We are interested in the first. It is recommended that you create a new GPO and move it to the front, thus giving it a higher priority than the default domain GPO.
The process is simple. Select the domain and select "Create a GPO in this domain" from the menu. In the window that appears, enter a name and select "Firewall ports for remote group policy update" from the list. Alternatively, you can use PowerShell.

The GPUPDATE command is used to update group policies for a user and/or computer.

Format command line:

GPUpdate

Command line options:

/Target:(Computer | User)- Update policy settings for User only or Computer only. If not specified, both policy settings are updated.

/force- Apply all policy settings. If not specified, only the changed policy settings are applied.

/wait:value- Timeout (in seconds) for policy processing to complete. The default is to wait 600 seconds. The value "0" - no waiting. The value "-1" - waiting is not limited. If the timeout occurs, the command prompt window reactivates, but policy processing continues.

/Logoff- Logging out after updating group policy settings. Required for those Group Policy client-side extensions that do not process policy in the background, but only process it when the user logs in, such as Install User Programs or Folder Redirection. This setting has no effect unless extensions are invoked that require the user to log out.

/Boot- Performing a reboot after applying Group Policy settings. Required for those Group Policy client-side extensions that do not process policy in the background, but only process it at startup, such as computer software installations. This setting has no effect unless extensions are called that require a system restart.

/sync- The next active application of the policy must be performed synchronously. Active policy enforcement occurs when the computer is restarted or when the user logs on. You can use this option for the user, computer, or both by specifying the /Target option. The /Force and /Wait options, if specified, are skipped.

Examples of using:

gpupdate /?- display a tooltip for using the command.

gpupdate- computer policies and user policies are updated. Only the changed policies are applied.

gpupdate /Target:computer- Policies are updated only for the computer.

gpupdate /Force- all policies are updated.

gpupdate /boot- updating group policies with restarting the computer.

In this article, we will show a simple way to remotely update group policies on clients (computers and servers) of a domain Active Directory, without having to access the remote machine's console and without using the gpupdate command.

One of the most difficult problems in AD group policy management is - testing policies on the fly, without rebooting the computer or accessing the local computer and running the .

The Remote Group Policy Update feature provides the ability to use a single GPO management console (GPMC.msc) for both creating, modifying, and applying and testing group policies.

Group Policy remote update functionality first appeared in Microsoft Windows Server 2012, all subsequent versions (Windows Server 2016, Microsoft Windows 10), this functionality and its stability has been gradually improved.

Requirements for Remote Group Policy Update to work:

Server environment requirements:

Windows Server 2012 and higher
Either Windows 10 with RSAT (Management tools) installed

Requirements for clients:

Windows 7 and above

Requirements for network interaction (firewalls) between server and clients

TCP Port 135 must be open
Enabled windows service Management Instrumentation (Windows Management Service)
Task Scheduler Service (Task Scheduler Service)

In the event that your environment meets these requirements, open the Group Policy Management Console (GPMC.msc), select the OU (container) in which the target computers are located on which you want to force a GPO update.

Right-click on the desired container and select Group Policy Update.

The window that opens will display information about the number of objects in this OU on which the GPO will be updated. Click the "Yes" button to confirm the action.

In the Remote Group Policy update results window, you will see the status of the policy update, as well as the status of this operation (success / error, error code). Naturally, if a computer is turned off, or access to it is restricted by a firewall, a corresponding error will appear.

The Windows 10 update policy setting is the setting for how Windows 10 receives updates. In Windows 10, Update Center settings have been moved from Control Panel to System Settings. Windows 10 doesn't have the settings that were in the Control Panel, and so there's no way to turn off updates or choose how you get them. However, using the Registry Editor and the Local Group Policy Editor, you can disable updates and set how you receive them.

Configuring updates using the Local Group Policy Editor

Launch the Local Group Policy Editor by pressing two keys on the keyboard at once WIN+R gpedit.msc and click OK.

Windows 10 Update Group Policy

Computer Configuration - Administrative Templates - Windows Components - Windows Update. Click on the last item Windows Update and then on the right side find the item Setting automatic update and change its settings.

Configuring Windows 10 Updates Group Policy

To do this, in the window that opens, put a dot at the top of the Enabled item, and then set the update settings below. Click OK. Then, in order for the settings you made to work, open System Settings - Update & Security - Windows Update and press the button Check for updates.

After you've finished configuring Windows 10 policies, run the update

After that, the settings you made in the Local Group Policy Editor will take effect.

Configuring updates using the Registry Editor

Launch the Registry Editor by pressing two keys on the keyboard at once WIN+R. The Run window will open in which you enter the command regedit and click OK.

Open the Registry Editor and create four settings there to manage Windows updates 10

In the left part of the editor window that opens, expand HKEY_LOCAL_MACHINE-SOFTWARE-Policies-Microsoft-Windows. Hover over the last Windows item and press the right mouse button. In the context menu that opens, select Create - Section. Name the new section windows update.
Then hover over the newly created WindowsUpdate partition and again create a partition that you name AU.
Then hover over the newly created AU partition and press the right mouse button and in the menu that opens select New - DWORD Value (32-bit). The newly created parameter will appear on the right side of the window, name it AUOptions. In the same way, hovering over the AU section, create three more parameters and name the first one NoAutoUpdate, second ScheduledInstallDay, and the third ScheduledInstallTime(optional NoAutoRebootWithLoggedOnUsers). Now in these four new parameters you need to change the value.

For the AUOptions parameter

2 - Receive a notification before installing and downloading any updates.
3 - Automatically receive updates and notifications about their preparation for installation.
4 - Automatically receive and install updates according to a specified schedule.
5 - Allow local administrators to choose the update mode and notifications themselves.

For the NoAutoUpdate parameter

0 - Automatic installation of updates is enabled, which will be downloaded and installed depending on the settings made in the AUOptions parameter.
1 - Automatic installation of updates is disabled.

For the ScheduledInstallDay parameter

0 - updates will be installed daily if the AUOptions parameter is set to 4.
1 - updates will be installed every Monday if the AUOptions parameter is set to 4.
2 - updates will be installed every Tuesday if the AUOptions parameter is set to 4.
3 - Updates will be installed every Wednesday if AUOptions is set to 4.
4 - updates will be installed every Thursday if the AUOptions parameter is set to 4.
5 - updates will be installed every Friday if the AUOptions parameter is set to 4.
6 - updates will be installed every Saturday if the AUOptions parameter is set to 4.
7 - updates will be installed every Sunday if the AUOptions parameter is set to 4.

For the ScheduledInstallTime parameter

From 0 to 23, updates will be installed at so many hours, depending on the set parameter and with the value of 4 of the AUOptions parameter.

For the NoAutoRebootWithLoggedOnUsers setting

0 - When the updates are installed, the computer will automatically restart, it works with the value 4 of the AUOptions parameter.
1 - After the installation of updates is completed, the computer will not automatically restart, it works with the value 4 of the AUOptions parameter.