Tuesday, May 28, 2013

Doing a Group Policy update during OS deployment

Last month I did a new ConfigMgr 2012 SP1 installation. For installing a specific application it was needed to do a Group Policy update first. Case is this isn't actually allowed during OS deployment. When doing a "GPupdate /force" during a task sequence the system will be hanging on that specific step, and stops deploying. Microsoft has the following to mention on this topic:

The Setup Windows and ConfigMgr task sequence action is responsible for running Group Policy on the newly installed computer. The time at which Group Policy is applied during the task sequence action depends on the operating system being deployed. For Windows XP and Windows Server 2003, Group Policy is applied after the Setup Windows and ConfigMgr task sequence action is completed. On Windows Vista and Windows Server 2008, Group Policy is applied after the task sequence is finished.

When using Windows 7 or Windows 8, Group Policy is applied after the task sequence is finished also. A workaround which can be used is to add a mandatory deployment for an application, which will be active after deployment. That way the application will be installed after deployment, when Group Policy is already active.

Just remember: adding an extra last step in a task sequence for a computer restart (or multiple restarts) doesn't resolve this issue. A computer restart is needed after the task sequence deployment to make Group Policy active on the system. Hope it helps!

7 comments:

  1. Actually your source of information is wrong (TechNet is not accurate). All GPO settings for all OS layers are applied after a TS is finished . There is no difference.
    The further explain, GP cannot be applied during a task sequence, it is essentially blocked. When a task sequence finishes, it does not force any kind of refresh, but the machine is in a state where GP can now be applied. If it is critical to apply GP immediately, using a reg key and script is generally a good way

    ReplyDelete
    Replies
    1. Thanks for the explanation Kenny!

      Delete
    2. Hi Kenny,

      Do you know Microsoft's reasoning behind blocking gpupdate? I can see why updates are disabled, you're installing an OS and you can install patches and updates as part of the TS via WSUS. But gpupdate? To prevent group membership changes? To prevent software installations via GPO? Not clear to me, real bugger too... Is there any way to workaround this and make GPO processing possible in a TS (during OSD that is, custom task sequences work fine)?

      Thanks
      Chris

      Delete
  2. I would really like your post ,it would really explain each and every doing group policy update during clearly well thanks for sharing.

    ReplyDelete
  3. Ernst Jan VerbreeJune 1, 2015 at 1:58 PM

    Has anyone found a neat way to apply the GPO before or right after the Task Sequence finishes? Cause I found that no amount of reboots in the TS makes the computer receive it's computer-GPO.

    I don't have a SCCM task sequence in production yet. So , at the moment I still manually reboot my test-machines to make them get the GPO. But I gotta find a way to automate this.

    I'm now thinking of some scheduled task that reboots the machine. But I'd rather give the user no option to logon before the GPO is applied. Because if people logon before the GPO is applied there's several things that go wrong.

    ReplyDelete
    Replies
    1. You can create a scheduled task at the end of deployment, which doing a gpupdate and reboot of the system. That way a fore is done on the gpupdate process.

      Delete
    2. Thanks.

      This was indeed what I ended up doing. A rather elaborate scheme of tied together scripts. A typical example of "Thanks Bill"

      Delete