Windows 8 Group Policy changes – Part 3

The last article in this Windows 8 Group Policy series covers processing improvements and Fast Startup (with its effect on software installation/startup scripts.

Group Policy often receives the negative attention of our end users. From their perspective, Group Policy is the thing always keeping them from getting to their desktop. In most circumstances, it isn’t to blame. That fact hasn’t stopped Microsoft from improving the application and processing of Group Policy. With Windows 8, Group Policy continues to become more and more efficient.

Administrative Templates

As mentioned in Part 2 of this series, every GPO is made up of a Group Policy Container (GPC) and a Group Policy Template (GPT). While the GPC is the brains of the GPO (containing important information like link locations); the GPT, which is stored in SYSVOL, contains the body of the GPO. The GPT contains, among other items, the settings defined within the administrative templates (for both the computer and user).

The folder structure of a GPT

These settings, along with software restriction policies, are stored in the registry.pol file. Whenever a GPO is modified, this file must be retrieved by all applicable clients. With Windows 8/Server 2012, the maximum registry.pol size has been increased to 100 MB. If your company makes use of monolithic GPOs, this change is very important! Because monolithic GPOs usually contain a vast array of settings, the registry.pol file could become large. This increase in maximum size “results in less network access for reading the registry.pol file from the domain controller” Not only will your clients download GPOs faster but previous restrictions on the maximum size of a GPO have been expanded! With the ability to retrieve larger amounts of data, a client can access the network less.

Group Policy Service

Take a look at Services.msc on a Windows 7 and a Windows 8 machine! Although it is quite subtle, the Group Policy services startup type has been changed from:

Automatic

Windows 7 Group Policy Client

To

Windows 8 Group Policy Client

Automatic (Trigger Start)

Because of this change, the Group Policy service can be set to stop or start based on a specific event.

On a Windows 7 machine, Group Policy automatically updates when events like startup or a network change occurs. After this initial update, the service continues to run even though Group Policy won’t update until the refresh interval is reached (at least 90 minutes). This is assuming certain events, like a network change doesn’t occur first. A network change occurs if a machine loses access to a domain controller and later regains access. This is commonly seen in mobile devices.

With Windows 8, this service is stopped until the refresh interval is reached. After the update has finished and the service has been idle for 10 minutes, it is automatically stopped.

The Problem with Fast Startup

Fast Startup, put simply, is one of the primary reasons Windows 8 boots up so fast! When a user initiates a shutdown, the system is actually hibernated. Though this will make your users happy, it can easily add complexity to Group Policy processing.

Certain Group Policy Preference Client Side Extensions (CSEs), such as software installation, require a synchronous processing. This processing mandates that Group Policy processing must finish before a user can login (or even before the login screen is presented).

Let’s look at a practical example. An administrator deploys a piece of software using Group Policy Software Installation.

 

GPO that deploys Adobe Flash

Once our GPO is linked and filtered correctly, computers will begin processing the GPO. Because the Software Installation CSE specifically installs at logon or startup, this CSE will cause the machine to process a full shutdown instead of a fast shutdown.

The big item to keep in mind is that in can take additional restart for a GPO containing software to fully apply. This is mainly dependent on when the GPO containing the software is applied.

The (cool) solution for Fast Startup

Most organizations will probably want to keep Fast Startup. To keep using it without needlessly rebooting, you can do one of the following:

1. Ensure that computers process a GPUpdate before shutting down. When a GPUpdate is run on a client, any GPO containing software will trigger a full shutdown instead of a fast shutdown.

2. Because a reboot always triggers a full shutdown, set a scheduled task to reboot clients at an unused hour (such as 1:00 AM).

The (slow) solution for Fast Startup

If your company simply cannot live with Fast Startup, it can easily be disabled by setting “Computer Configuration/Policies/Administrative Templates/System/Shutdown/Require use of fast startup”. This will, of course, increase the boot up time.