SCCM RunScript to GPUpdate Machine and Logged-On User GPO policies

    General discussion

  • The below script enables running GPUpdate for a machine and logged-on user from the SCCM Console.

    #Run Computer GPUpdate 
    cmd "/c echo n | gpupdate /target:computer /force /wait:0" | Out-Null
    #Now comes the hard part - to run the gpupdate for the logged-on user session
    $ExplorerProcess = Get-WmiObject win32_process | Where-Object { $ -Match 'explorer'}
    $LoggedOnUser = if($ExplorerProcess.getowner().user.count -gt 1){
    If($LoggedOnUser.trim() -eq "") {    "Computer GPUpdate Successful. No active user session";  Return}
    #To run the logged-on user session GPUpdate, create a temp, one-off, self-deleting scheduled task to run gpupdate
    $TaskName = "Run User GPUpdate - $((Get-Date).ToString('dd-MM-yyyy-HH-mm-ss'))"
    $ShedService = New-Object -comobject 'Schedule.Service'
    $Task = $ShedService.NewTask(0)
    $Task.RegistrationInfo.Description = 'User GPUpdate'
    $Task.Settings.Enabled = $true
    $Task.Settings.AllowDemandStart = $true
    $Task.Settings.DeleteExpiredTaskAfter = 'PT0S'
    $Task.Settings.StartWhenAvailable = $True
    $trigger = $task.triggers.Create(1)
    $trigger.StartBoundary = [DateTime]::Now.AddSeconds(5).ToString("yyyy-MM-dd'T'HH:mm:ss")
    $trigger.EndBoundary = [DateTime]::Now.AddSeconds(30).ToString("yyyy-MM-dd'T'HH:mm:ss")
    $trigger.Enabled = $true
    $ScriptCode = """ cmd /c echo n | gpupdate.exe /target:user /force /wait:0 """
    $PwshArgument = "-ExecutionPolicy ByPass -NoProfile -WindowStyle Hidden -command $ScriptCode"
    $action = $Task.Actions.Create(0)
    $action.Path = 'Powershell.exe'
    $action.Arguments = $PwshArgument 
    $taskFolder = $ShedService.GetFolder("\")
        $taskFolder.RegisterTaskDefinition($TaskName, $Task , 6, 'Users' , $null, 4) | Out-Null
        "Computer GPO and User $LoggedOnUser GPO update Successful"
    } Catch { "GPUpdate Failed - $($_.Exception.Message)" }

    I have tested it on Windows 10. but please test it before deploying to production. It should work on Windows 7 too. In fact Windows 7 was the reason why I did not use the task scheduler based cmdlets in this solution.

    Check the Group Policy event logs to ensure GPUpdate ran successfully. The Group Policy log is present under Event Viewer -> Application and Services Log -> Microsoft -> Windows -> GroupPolicy -> Operational

    You will need to look for event IDs 8004 and 8005 logged at the time stamp which coincides with when the script ran. You can see the activity in the Task Manager when the script executes. Make sure the Command Line is shown in the Task manager process details.

    Please also note the logoff and reboot prompts which would otherwise result from the gpupdate are suppressed in this solution. This is to avoid end user disruption. Presumably only the GPO Client Side extensions require logoff/reboots?

    If you spot any bugs, please let me know. There is one short-coming (if you want to call that) where in during the user gpupdate execution, the PowerShell console window fleetingly pops up on the end user's desktop and will disappear within a couple of seconds which some may find annoying. As a workaround you can use vbscript to call the user-gpupdate-powershell-script portion and use the cscript vbs as the task scheduler target.

    If one of you has a SCCM CB Community hub account, please feel free to publish it. No credits necessary.

    Special note: This solution incorporates a technique to trigger user context operations from SCCM agent (system account). This same technique can be used to launch any gui app/script etc in the logged in user's context so users can see that GUI app appearing on their desktop (some may view it as invasion of privacy). So use it responsibly and sparingly, especially keep the GDPR in mind before you do anything with it.

    Wednesday, May 15, 2019 12:12 PM