- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
You probably know that it can take up to 90 minutes until a Group Policy update reaches the clients. A common way to force an update without delay is with the Windows command gpupdate. If you want to remotely refresh Group Policy on multiple clients, you can use the free Sysinternals tool PsExec. By the way, when I tried PsExec with gpupdate recently, I ran into some problems. Please post in the forum if you find a solution to the problem. Anyway, the new methods with PowerShell and GPMC are more flexible and convenient.
Requirements
Some of Microsoft’s guides appear to indicate that Invoke-GPUpdate only works with PowerShell 4.0 and Windows 8.1/Windows Server 2012 R2. However, this cmdlet was introduced with Windows Server 2012/Windows 8 and PowerShell 3.0. This also applies to the GPMC Group Policy Update feature, which is just the GUI pendant of the Invoke-GPUpdate cmdlet.
This doesn’t mean that you can only remotely update Group Policy for these Windows/PowerShell versions. In my tests, I could target Windows 7 clients running PowerShell 2.0 without problems with Invoke-GPUpdate.
However, before you can use this feature, you have to update the firewall settings in your domain. Invoke-GPUpdate only works if you open your clients for Windows Management Instrumentation (WMI-in) and Remote Scheduled Tasks Management (RPC, RPC-EPMAP) traffic.
This is perhaps the biggest downside of this method because the corresponding TCP ports can also be exploited by computer worms. Thus, you have to decide if the reduced security in your network is worth the ability to refresh Group Policies without delay.
Deploy firewall settings
Deploying the Windows Firewall settings is relatively simple and can be done with Group Policy.
- Launch GPMC, navigate to Starter GPOs, and click Create Starter GPOs Folder. (If you worked with Starter GPOs before, you can skip this step.)
- You should now see the Starter GPOs, including Group Policy Remote Update Firewall Ports. Right-click the domain and then select Create a GPO in this domain, and Link it here.
- Give the new GPO the name Group Policy Remote Update Firewall Ports and select the corresponding Starter GPO from the Source Starter GPO dropdown menu below.
- You must ensure that the new GPO comes first in the Linked Group Policy Objects order. You can move the GPO link with the up arrow on the left.
You have to wait until the new Windows Firewall settings replicate to all your clients before you can work with the Invoke-GPUpdate cmdlet.
GPMC Remote Group Policy Update
Forcing a remote Group Policy refresh through the Group Policy Management Console (GPMC) is fairly easy.
- Right-click the container in GPMC and select Group Policy Update.
- Confirm that you want to want force a Group Policy update on the selected clients.
- In the Remote Group Policy update results window you will see a list of computers that have received the update request and those where the refresh failed. Save these results to refer to later, or click Close to exit the results without saving.
If a client is offline or the Windows Firewall blocked access, you will see “The remote procedure call was cancelled” in the Error Description column.
A downside of using GPMC to update policies is that there can still be a delay of up to 10 minutes before all of your clients apply the new Group Policy settings. The reason is that, if you have many computers in your OU, performance of the domain controller might be affected. Of course, this is also the reason normal Group Policy updates are delayed in the first place. So, with this new feature, you can gain just a few minutes. If you really need to force a Group Policy update immediately, you need the PowerShell cmdlet.
Invoke-GPUpdate
One of the advantages of the Invoke-GPUpdate cmdlet is that you can leverage the RandomDelayInMinutes parameter to change the delay. If you want to update Group Policy right away, you just set it to 0.
Invoke-GPUpdate –Computer win7 –RandomDelayInMinutes 0
In this example, I initiated a Group Policy refresh, with no delay, on the computer named “win7.”
Invoke-GPUpdate - Example
Note that the cmdlet doesn’t produce any output if everything worked fine. In some cases your users might see a command window popup with the title taskeng.exe that display the message Updating Policy... The windows disappears after a second or so.
taskeng.exe - Updating Policy
If the computer is not reachable, you will get a nice error message in red: Invoke-GPUpdate : Computer "win8update" is not responding. The target computer is either turned off or Remote Scheduled Tasks Management Firewall rules are disabled.
Computer is not responding
Another advantage of the PowerShell cmdlet is that you have more options in choosing the machines you want to update. For instance, with the command below, you would select all computers that start with “win7” and are in the Active Directory container “test.”
Get-ADComputer –Filter 'Name -like "win7*"' -Searchbase "ou=test, dc=domr2, dc=com" | foreach{ Invoke-GPUpdate –Computer $_.name -Force -RandomDelayInMinutes 0}I also added the Force parameter here to ensure that the Group Policy settings are reapplied even if the client notices that no new GPO versions are available. Thus, when we are talking about forcing a Group Policy refresh, we actually mean two different things. Without the Force parameter, we are just forcing an update without delay; if we add the Force parameter, we are forcing an update even if there really is nothing to update. The Force parameter comes into play if you think something went wrong in a previous GPO update.
Another option you have to remotely refresh GPOs is with PxExec and gpupdate.
How to hide the annoying command window?
The dashes you’re using are invalid characters in Powershell…
Which dashes do you mean?
The dashes in the command Invoke-GPUpdate above, try it yourself, copy and paste the command into powershell (copy it from this website):