locked
GPO wsus settings do not update after local registry change RRS feed

  • Question

  • Hi all,

    I thought i had a bright idea to have a local scheduled task to run a powershell script that checks connectivity to our internal WSUS server. If connection could not be established we would set the registry value to a WSUS server in the DMZ.

    The script works fine but even after a whole working day being on site-to-site VPN on my laptop I do not see the registry key update after 90 min default GPO refresh interval runs. This cause the registry key to keep point to my WSUS server in DMZ.

    Is there anything i can do better to help me here? My goal is to once on VPN, clients will refresh GPO and the WSUS GPO will update the registry key once again.

    Wednesday, June 14, 2017 3:11 PM

Answers

  • Hi,
    Please check if you are using cached credentials to log in  instead of checking with the DC first, when you are in the remote site.
    If you are allowing the end user to logon using cache credentials, when the logon is done with cached credentials and then a remote access connection is established, Group Policy is not applied during logon. 
    However, if users connecting are logging on using cached credentials, some special group policies will not be processed because these policies can only be processed at user logon, not in the background refresh. To avoid using cached credentials in a remote access connection, users should select the "Logon using dial-up connection" check box on the Windows Logon dialog box. And the application of computer policy is done as background refresh at the time of logon or you could force it to run by running gpupdate /force.
    In addition, do you have slow link detection enabled or have another DC at this remote site? Slow link through VPN may cause some Group Policies fail to be applied on remote PCs, you can disable slow link detection or decrease the value of slow link threshold according to the following article: https://technet.microsoft.com/en-us/library/cc978717.aspx
    Best regards,
    Wendy 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, June 23, 2017 7:45 AM

All replies

  • Hi,
    By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. In addition to background updates, Group Policy for the computer is always updated when the system starts.
    Please have a try running gpupdate /force command for forcing GPO refresh, and see if the registry is updated by then.
    If that works, you could add the gpupdate /force command in to your script to force GPO refresh once you are on VPN.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, June 15, 2017 2:09 AM
  • Hi Wendy, 

    If i run GPupdate /force then the GPO will make the changes set in the GPO. but if i just leave my computer on the client site-to-site VPN for a whole day while working. the registry keys do not switch back.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    This is the key i am in and i modify these 2 REG_SZ 

    • WUServer
    • WUStatusServer

    The PowerShell script i run at startup is this:

    $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
    $RegSZ1 = "WUServer"
    $RegSZ2 = "WUStatusServer"

    $value = "http://WSUSFQDN:8530"


    $Server = "wsus-emea.euecs.corp.arrow.com"
    if (!(Test-Connection -ComputerName $Server -BufferSize 16 -Count 1 -ErrorAction 0 -Quiet)) {
        "No connection to $Server" | Out-File C:\temp\wsuscheck.txt

        if(!(Test-Path $registryPath)) {

            New-Item -Path $registryPath -Force | Out-Null
            New-ItemProperty -Path $registryPath -Name $RegSZ1 -Value $value -PropertyType String -Force | Out-Null
            New-ItemProperty -Path $registryPath -Name $RegSZ2 -Value $value -PropertyType String -Force | Out-Null
        }

        else {
            New-ItemProperty -Path $registryPath -Name $RegSZ1 -Value $value -PropertyType String -Force | Out-Null
            New-ItemProperty -Path $registryPath -Name $RegSZ2 -Value $value -PropertyType String -Force | Out-Null
        }

    }

    I really do not understand why when connected to VPN why does my computer not update those 2 registry items when GPO is processing.

    Monday, June 19, 2017 8:51 AM
  • Hi,
    Please check if you are using cached credentials to log in  instead of checking with the DC first, when you are in the remote site.
    If you are allowing the end user to logon using cache credentials, when the logon is done with cached credentials and then a remote access connection is established, Group Policy is not applied during logon. 
    However, if users connecting are logging on using cached credentials, some special group policies will not be processed because these policies can only be processed at user logon, not in the background refresh. To avoid using cached credentials in a remote access connection, users should select the "Logon using dial-up connection" check box on the Windows Logon dialog box. And the application of computer policy is done as background refresh at the time of logon or you could force it to run by running gpupdate /force.
    In addition, do you have slow link detection enabled or have another DC at this remote site? Slow link through VPN may cause some Group Policies fail to be applied on remote PCs, you can disable slow link detection or decrease the value of slow link threshold according to the following article: https://technet.microsoft.com/en-us/library/cc978717.aspx
    Best regards,
    Wendy 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Friday, June 23, 2017 7:45 AM
  • We have the same problem we are trying to fix:

    If I delete registry key(s) under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, the WSUS GPO will not apply them again on our domain controllers.  Only when I execute the GPUPDATE /FORCE command, the registry keys are corrected by the WSUS GPO for our domain controllers.

    GPRESULT /R /SCOPE COMPUTER /v shows that the gpo is working correctly and is applied and all registry values should apply correctly but if you look at the registry, they are not.  I've tested this on 6 Windows server 2012R2 and 2016 domain controllers and they all have the same issue.

    If I install a new domain controller, it gets the gpo automatically once it is in the Domain controller OU where the WSUS gpo is linked to but if you delete one of the windows update registry keys on the domain controller, it will never correct itself again untill you manually run GPUPDATE /FORCE.

    Does anyone have an idea what's going on?

    best regards,

    Kris Hermans

    MCSE



    • Edited by Kris Hermans Thursday, October 25, 2018 10:19 AM
    Thursday, October 25, 2018 10:02 AM