Group policy update comes to Windows 8

Group policy update comes to Windows 8

Summary: The new Group Policy Update feature in Windows 8 could be a real time-saver for IT admins. Here's how it works.

TOPICS: Microsoft

I'm taking a couple weeks off before the busiest part of Microsoft's 2012 kicks into full gear. But never fear: The Microsoft watching will go on while I'm gone. I've asked a few illustrious members of the worldwide Microsoft community to share their insights via guest posts on a variety of topics -- from Windows Phone, to Hyper-V. Today's entry is all about a new administrative feature in Windows 8 is authored by Alan Burchill.

As most IT administrators know, group policy is the feature in Windows that allows you to configured large number of windows computer easily and automatically. These configuration settings are stored in Active Directory (AD) for the workstation to then poll on a periodic basis for any configuration changes. This polling typically take 90 minutes (with some random offset), meaning that any configuration changes that an IT admin makes takes up to 2 hours or more to take effect.

One of the great new features that Microsoft has added to Windows 8 is now the ability to force a group policy update to run. This new feature called “Group Policy Update” can effectively give admins the way to push out configuration changes to all the computers online in less than 10 minutes. This is of course very handy if you want to quickly push out a quick policy change or quickly undo a setting that you might have configured by mistake.

To initiate this Group Policy Update all an administrator has to do is right click on any of the Organization Unit’s (OU) in AD and click the “Group Policy Update...” option. (See image below.)

After following the Group Policy Update wizard it then establishes a connection with every computer in that OU and creates a schedule task to run “gpupdate.exe /force” for both the computer and any user’s currently logged on. (See image below.)

Any computers that are shutdown or disconnected when this happens are not affected, as the wizard cannot reach them. However in this case a policy update is triggered automatically when they are next turned on or connect to the corporate LAN.

One very important note about this feature is that admins will need to open up some holes in the client firewall to allow this incoming connection to make the schedule task. This can, of course, also be done via group policy. However, admins will need to allow for the standard 90 minutes (give or take) for this to take effect in advanced.

The required firewall rules that need to be enabled on the client are:

  • Remote Scheduled Tasks Management (RPC)
  • Remote Scheduled Tasks Management (RPC-EPMAP)
  • Windows Management Instrumentation (WMI-IN)

As is true with almost everything else in Windows 8, PowerShell prevails; admins also run the same Group Policy Update using it. The necessary command is called “Invoke-GPUpdate” and it provides a little more power such as targeting a single computer or scheduling it to run straight away instead of waiting the standard 10 minutes.

With anything to do with group policy, Spiderman administrators have great power and this means you must take great caution before making any changes in your environment -- so keep in mind if the changes you are making to the computers cause a lot of load then you could very easily bring your network to a grinding halt. This is why Microsoft only allows admins to perform a group policy update on an OU and not the entire domain. However, it has been tested on over 10,000 computers at once with a single (presumably very powerful) domain controller, so it is pretty safe if all you are updating is a shortcut or something along those lines.

While this feature should not be used in day to day operation it is certainly nice know it exist out of the box in case you need to quickly make a policy change.

A more detailed version of this post can be found at How to configure and use “Group Policy Update” in Windows 8 via the Group Policy Central web site.

Alan Burchill been in the IT Industry for over 10 year of which the past two he is has been a Group Policy MVP. He is the owner and author of the Group Policy Central web site and is one of the organizers of the Brisbane Microsoft Infrastructure Users Group and upcoming Infrastructure Saturday community event. After hours he is a part time PC gamer and a full time husband to a wonderful wife and Dad to three lovely girls.

Topic: Microsoft


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Nice

    This will make a GPO push easier than it is now but there have always been ways to do this as long as you have scripting knowledge.
    • Yup

      There's VBS and WMI tricks + script enablers like PsExec and Flex Command for GP processing, to include leveraging Secedit with the right switches, but always nice to see updated tweaks to Gpupdate to speed things up for the target OU. Pushing thru a path to allow the necessary packet delivery has often been a bigger PITA.

      I saw the author's work-in-progress posts re GP+WS8 at GPC earlier. Interesting to see this related W8 guest post here at ZDN now.
  • Marco Shaw

    Not a biggie, but this is more of a "Windows Server 2012" thing, than a "Windows 8" thing now that the name has been officially changed.
  • Nothing new?

    "gpupdate.exe /force" is already there since Windows Vista at least... do I miss the point?
    • Something new

      gpupdate.exe /force has been around since XP. Before then on Windows 2000 it was secedit /refreshpolicy machine_policy /enforce.

      The point is you can now automatically do that on all workstations with a single click of the button.
    • Re: Nothing new?

      Yes, "gpupdate.exe /force" is already there. This feature allows the admin to force that command to run on all online computers immediately. Previously, you would either have to update GP and wait 1-2 hours for the machines to update themselves, or remotely execute the command on each individual machine. Depending on how many computers you manage, that could easily take hours.
      Harry S.
  • No Randomizer

    It should have created scheduled jobs on the targets with a randomly-selected time between 1 and X minutes in order to avoid hammering the domain controller(s). This would have been trivial to build into the tool by default.
    • Read the documentation

      It does,

      A remote scheduled task is created to run Gpupdate.exe /force for each logged on user and once for the computer Group Policy refresh. The scheduled task is scheduled to run with a random delay of up to 10 minutes in order to decrease the load on the network traffic. This random delay cannot be configured when using the GPMC, but you can configure the random delay for the scheduled task or set the scheduled task to be run immediately when you use the Invoke-GPUpdate cmdlet.

      works from windows 2012 and windows 8
      works for windows vista or later