How to speed up the group policy update process. GPUPDATE – performing group policy updates for the user and computer Secondly, we create remote sessions

After GPO changes, it takes some time (90 minutes +/- 30) for them to propagate to other systems, but if they need to be applied urgently, the administrator logs on to the remote system and runs the command “ gpupdate" With a large number of PCs, the process took some time, and the process itself is inconvenient. Now you can forget about it. In the management console group policy(GPMC) a new item has appeared in the context menu of the domain and division “ Group Policy Update” (Group Policy Update) allows you to update system policies starting with Windows Vista/2008 with two mouse clicks. After activating the task, a list of computers and registered users will be received, after which the task “ Gpupdate.exe /force" To avoid network congestion, it will be performed with a random delay in the range of 0-10 minutes. The result of the task is displayed in a separate window; the success of the update can be determined using the resulting policy wizard.
The new function also received its own cmdlet - Invoke-GPUpdate, which allows you to remotely update GP and provides even greater capabilities than GPMC. By the way, now 27 cmdlets are responsible for group policies, i.e. one more (you can get the full list by entering “ Get-Command -Module GroupPolicy«).
To immediately update policies on a specific system, just run:

PS> Invoke- GPUpdate - Computer< имя компьютера>

PS> Invoke-GPUpdate -Computer< имя компьютера>

Additional key –RandomDelayInMinutes allows you to set a timeout interval, which is useful if the command will be executed on multiple systems.
But the main thing is that in the GPMC console you can only select a division; there is no separate computers container there. This is where Invoke-GPUpdate comes to the rescue, which, together with the Get-ADComputer cmdlet, allows you to select systems by any criterion:

PS> Get- ADComputer –filter * - Searchbase "cn=computers, dc=example,dc=org"| foreach ( Invoke-GPUpdate –computer$_.name –force –-RandomDelayInMinutes 5)

PS> Get-ADComputer –filter * -Searchbase "cn=computers, dc=example,dc=org" | foreach( Invoke-GPUpdate –computer $_.name –force –-RandomDelayInMinutes 5)

Another important point is that you need to open several firewall ports on client systems. To make life easier for the administrator, MS offered 2 new initial policies (to the 8 existing ones), allowing you to quickly create and distribute the necessary settings:

— Firewall ports for remote group policy updates;
- Firewall ports for Group Policy reports.

Their purpose is clear from the name. We are interested in the first one. We recommend that you create a new GPO and move it to the top, giving it a higher priority than the default domain GPO.
The process is simple. Select the domain and select “Create a GPO in this domain” from the menu. In the window that appears, enter the name and select from the list “Firewall ports for remote Group Policy update.” Alternatively, you can use PowerShell.

Summary: Microsoft Scripting Guy, Ed Wilson shows how to force a Group Policy update using PowerShell.

Updating Group Policy in a Domain

Sometimes I make changes to Group Policy on the network and need to apply the changes to all computers. And sometimes I need to update local group policy on my computer.

To update Group Policy settings I use the utility GPUpdate. It has some parameters. By default, the utility updates both the computer and user policies. But this can be controlled using the parameter /target. For example, if I need to update only the computer policy, I will specify /target:computer. To update only the user policy − /target:user.

PS C:\> gpupdate /target:computer

Updating policy…

Default GPUpdate Applies only updated Group Policy settings. To apply all settings, use the parameter /force. The following command updates all Group Policy settings (whether or not they have been changed) for the computer and user.

PS C:\> gpupdate /force

Updating policy…

Computer Policy update has completed successfully.

User Policy update has completed successfully.

First, we get a list of computers in the domain

The first thing I need to do is get a list of all computers in the domain. For this I use the cmdlet Get-ADComputer, part of the Active Directory module.

Note: The Active Directory module is included with RSAT.

I store the resulting computer objects in the $cn variable.

$cn = Get-ADComputer -filt *

Secondly, we create remote sessions

The next thing I need to do is create remote sessions with all computers. To do this, I need to provide credentials to connect to computers, as well as create the sessions themselves using the cmdlet New-PSSession.

To start, I'll use the cmdlet Get-Credentials and store the object returned by it in the $cred variable.

$cred = Get-Credential iammred\administrator

$session = New-PSSession -cn $cn.name -cred $cred

You must remember that there may be computers in the domain that are turned off, so when running the command, errors may be returned. However, despite the errors, Windows PowerShell creates sessions with work computers.

The presence of a large number of errors may cause some concern. Since the session objects are stored in the $sessions variable, I can easily verify that they have been created.

Now let's run the command on all remote machines

To run the command GPUpdate on all remote machines I use the cmdlet Invoke-Command. It uses the sessions we saved in the $sessions variable. Alias ​​for the cmdlet Invoke-Command – icm.

icm -Session $session -ScriptBlock (gpupdate /force)

After running the command, the results are displayed in Windows console PowerShell.

Checking for a Group Policy update

When Group Policy settings are successfully updated on a workstation, event ID 1502 is written to the System log. I can use the cmdlet Invoke-Command to obtain this information.

icm -Session $session -ScriptBlock (Get-EventLog -LogName system -InstanceId 1502 -Newest 1)

The command and its results are shown in the figure below.

Another interesting thing about Group Policy

Sometimes I have to call tech support and they ask me to update Group Policy on my local computer. This is not a problem since I can run GPUpdate straight from PowerShell. The difficulty comes when they ask me to update Group Policy 5 times at 5 minute intervals. But this can also be solved with one line of code.

1..5 | %("refreshing GP $(Get-Date)"; gpupdate /force ; sleep 300)

Ed Wilson, Microsoft Scripting Guy

Original:

Setting the Windows 10 update policy is setting the way Windows 10 receives updates. In Windows 10, Update settings have been moved from Control Panel to System Settings. In Windows 10, there are no such settings as there were in the Control Panel and therefore it is no longer possible to disable updates or choose how to receive them. However, you can use Registry Editor and Local Group Policy Editor to disable updates and set how you receive them.

Configuring updates using the Local Group Policy Editor

Launch the Local Group Policy Editor by pressing two keys on the keyboard at once WIN+R gpedit.msc and click OK.

Windows 10 update group policy

Computer Configuration - Administrative Templates - Windows Components - Windows Update. Click on the last item Windows Update and then on the right side find the item Setting up automatic updates and change its settings.

Setting up Windows 10 updates group policies

To do this, in the window that opens, you need to put a dot at the top next to the Enabled item, and then set the update settings below. Click OK. Then for the settings you made to work, open System Settings - Update & Security - Windows Update and press the button Checking for updates.

Once you've finished setting up Windows 10 policies, run the update

After this, the settings you made in the Local Group Policy Editor will take effect.

Setting Up Updates Using Registry Editor

Launch the Registry Editor by pressing two keys on the keyboard at once WIN+R. The Run window will open in which you enter the command regedit and click OK.

Open Registry Editor and create four settings there to control Windows updates 10

In the left part of the editor window that opens, expand HKEY_LOCAL_MACHINE - SOFTWARE - Policies - Microsoft - Windows. Hover over the last Windows item and right-click. In the context menu that opens, select Create - Section. Name the new section WindowsUpdate.
Then hover over the newly created WindowsUpdate section and again create a section that you name AU.
Then move the cursor over the newly created AU partition and right-click and select from the menu that opens New - DWORD Value (32-bit). The new created parameter will appear on the right side of the window, name it AUOptions. In the same way, hovering the cursor over the AU section, create three more parameters and name the first one NoAutoUpdate, second ScheduledInstallDay, and the third ScheduledInstallTime(optional NoAutoRebootWithLoggedOnUsers). Now you need to change the value in these four new parameters.

For the AUOptions parameter

• 2 - Receive a notification before installing and downloading any updates.
• 3 - Automatically receive updates and notifications when they are ready for installation.
• 4 - Automatically receive and install updates according to a specified schedule.
• 5 - Allow local administrators to choose the update mode and notifications themselves.

For the NoAutoUpdate parameter

• 0 — Enabled automatic installation updates that will be downloaded and installed depending on the settings made in the AUOptions parameter.
• 1 — Automatic installation of updates is disabled.

For the ScheduledInstallDay parameter

• 0—updates will be installed daily if the AUOptions parameter is set to 4.
• 1—updates will be installed every Monday if the AUOptions parameter is set to 4.
• 2 — updates will be installed every Tuesday with the AUOptions parameter set to 4.
• 3 — updates will be installed every Wednesday with the AUOptions parameter set to 4.
• 4—updates will be installed every Thursday if the AUOptions parameter is set to 4.
• 5 — updates will be installed every Friday if the AUOptions parameter is set to 4.
• 6 — updates will be installed every Saturday if the AUOptions parameter is set to 4.
• 7 — updates will be installed every Sunday if the AUOptions parameter is set to 4.

For the ScheduledInstallTime parameter

From 0 to 23, updates will be installed in as many hours depending on the set parameter and if the AUOptions parameter is set to 4.

For the NoAutoRebootWithLoggedOnUsers parameter

• 0 — When the update installation is complete, the computer will automatically reboot; it works with the AUOptions parameter set to 4.
• 1 - When the update installation is complete, the computer will not reboot automatically; it works with the AUOptions parameter set to 4.

The GPUPDATE command is used to update group policies for a user and/or computer.

Format command line:

GPUpdate

Command line options:

/Target:(Computer | User)- Update policy settings for only the user (User) or only the computer (Computer). If not specified, the settings for both policies are updated.

/Force- Applying all policy settings. If not specified, only the changed policy settings are applied.

/Wait:value- Timeout (in seconds) for the policy to complete processing. The default is to wait 600 seconds. Value "0" - no waiting. Value "-1" - the wait is unlimited. If the timeout occurs, the command prompt window is reactivated, but policy processing continues.

/Logoff- Log out after updating Group Policy settings. Required for those Group Policy client extensions that do not process policy in the background but only process it when the user signs in, such as installing programs for the user or folder redirection. This setting has no effect unless extensions are called that require the user to sign out.

/Boot- Perform a reboot after applying Group Policy settings. Required for Group Policy client extensions that do not process policy in the background but only process it when it starts, such as installing computer programs. This setting has no effect unless extensions are called that require a system restart.

/Sync- The next active policy application must occur synchronously. Active policy enforcement occurs when the computer restarts or when the user logs on. You can use this parameter for a user, a computer, or both by specifying the /Target parameter. In this case, the /Force and /Wait parameters, if specified, are skipped.

Examples of using:

gpupdate/?- display a hint on how to use the command.

gpupdate- computer policies and user policies are updated. Only changed policies are applied.

gpupdate /Target:computer- policies are updated only for the computer.

gpupdate /Force- all policies are updated.

gpupdate /Boot- updating group policies with rebooting the computer.

I decided that I needed to write a short article that could and should be referenced quite often. And the topic for this article is how to update Group Policy.

Why do you need to manually update a policy?

When might this come in handy? Almost always, when you change any parameter in any policy. No, do not think that the policy must only be updated manually. In fact, it updates automatically. Once every hour and a half! Imagine you changed some policy and wait an hour and a half to check if it works exactly as you wanted. Brad, isn't it?

Naturally, nonsense. Therefore, there is a way to force the computer to update group policies manually. And before that, a little theory. As you know, politicians are divided into two large groups:

• computer policies
• user policies

Policies from the first group apply to all users of the computer, while policies from the second group apply only to individual users. So, when the computer boots, group policies are loaded immediately. Moreover, all policies are read from scratch, which ensures that the latest changes are applied. But user policies are checked and loaded when the user logs into the system.

Knowing these facts, here is your solution. For user policy changes to take effect, log out and log in again. If you need to update your computer policies, restart your computer. Joke.

Command to update local group policy

The methods described will certainly lead to the desired result, but they are quite stupid. After all, there is one excellent command line utility called gpupdate. In general, to update group policy, the following command is enough:

Gpupdate /force

With this simple action you can quickly update your computer policies.