none
Windows 10 1909 - installed via OSD Task Sequence, not applying computer based GPO's RRS feed

  • Question

  • There seems to be a bug with Windows 10 1909 where computer based GPO's do not apply properly after a fresh install.  The specific component in the computer GPO that's not applying is "Registry".  I've also tried offline servicing the wim file with the Dec LCU and the symptoms persist.  I did find this article reporting same issue, and after trying the fix suggested in the comments it actually does resolve the issue, but multiple reboots/reapplying the reg keys are required:

    https://borncity.com/win/2019/12/30/windows-10-v1909-und-ein-mgliches-gpo-problem/

    Is anyone else experiencing this?  The ISO was downloaded from VLSC, and just for reference our ConfigMgr version is 1906 with hotfix rollup KB4517869.  Using the same OSD task sequence with any other version of Windows 10 has no issues.  Also on different hardware or a VM symptoms persist.

    Thank you

    Friday, January 3, 2020 11:33 PM

Answers

  • Thank you for checking in Simon,

    Yes we have found the solution.  Based on Martin_Lim's feedback in this posting

    https://social.technet.microsoft.com/Forums/en-US/3bd6fcbf-ce60-4920-a623-0f2c21b828f6/win-10-1903-osd-group-policy-issue?forum=ConfigMgrCBOSD#bc160e91-6d19-45c4-9102-853df14aa60a

    It appears that using group policy to control core defender settings on 1909 causes this issue.  It would be nice to know what exactly is creating this behavior though as according to Tamper Protection documentation, this feature is not enabled by default.  However something has changed in Defender on 1909 that does not like managing it;s settings through group policy.

    Anyway, here was my fix from my other post:

    "My fix was to remove these 2 computer settings from GPO.

    -Join Microsoft MAPS

    -Select cloud protection level

    Once I removed these from GPO, 1909 now picks up its group policies right away after the task sequence completes.  I moved both of these settings to Configuration Manager Anti-Malware policies, hopefully that won't cause issues applying computer policy updates in the future, but for now, at least this issue is fixed."

    I see no evidence on my workstations that Tamper Protection is enabled, so it would be great to find out what in Defender in 1909 causes this behavior.

    Thanks!

    Thursday, January 23, 2020 5:41 PM

All replies

  • Hi,

    Thanks for posting in TechNet.

    May we know if it works well when we manually install a Windows 10 1909 client? Does the Registry-related GPO apply successfully? 

    Based on my experience, the issue is related to the Windows 10 1909 itself, SCCM doesn't do much more about GPO. It's recommended to submit a new case with Windows 10 support to get better support.

    Thanks for your time and understanding.

    Best regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 6, 2020 2:34 AM
  • Hi,

    Just checking in to see if there is any update. May we know the current status of the question? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

    Thanks and regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 9, 2020 2:37 AM
  • Thank you for your feedback, I'm kind of hoping the Jan LCU resolves this issue.  If not, I'll attempt to recreate this issue using a manual install of 1909, I'll report back the results should I need to go down that road.
    Friday, January 10, 2020 12:40 AM
  • Hi,

    Thanks for your reply.

    OK. Looking forward to hearing good news from you.

    Thanks and regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 10, 2020 1:35 AM
  • Hi,
     
    Just checking in to see if there is any update. We haven't heard from you for a few days and would like to know the current status of the problem. Is the problem solved? Do you need any further assistance? Look forward to hearing from you.
     
    Thanks for your time.
     
    Best regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 14, 2020 1:21 AM
  • Thank you for checking in Simon,

    Yes we have found the solution.  Based on Martin_Lim's feedback in this posting

    https://social.technet.microsoft.com/Forums/en-US/3bd6fcbf-ce60-4920-a623-0f2c21b828f6/win-10-1903-osd-group-policy-issue?forum=ConfigMgrCBOSD#bc160e91-6d19-45c4-9102-853df14aa60a

    It appears that using group policy to control core defender settings on 1909 causes this issue.  It would be nice to know what exactly is creating this behavior though as according to Tamper Protection documentation, this feature is not enabled by default.  However something has changed in Defender on 1909 that does not like managing it;s settings through group policy.

    Anyway, here was my fix from my other post:

    "My fix was to remove these 2 computer settings from GPO.

    -Join Microsoft MAPS

    -Select cloud protection level

    Once I removed these from GPO, 1909 now picks up its group policies right away after the task sequence completes.  I moved both of these settings to Configuration Manager Anti-Malware policies, hopefully that won't cause issues applying computer policy updates in the future, but for now, at least this issue is fixed."

    I see no evidence on my workstations that Tamper Protection is enabled, so it would be great to find out what in Defender in 1909 causes this behavior.

    Thanks!

    Thursday, January 23, 2020 5:41 PM