Group Policy Central

I recently recorded an episode of on the CIAOPS Podcast where myself and Robert Crane talked about all thing Windows 8, Windows Server 2012 and Group Policy. Note: We recorded this podcast the night before Microsoft announced (see https://twitter.com/#!/BuildWindows8/status/194627936115101696 ) that Windows 8 Release Preview will be out in the first week of June, however our guesses of when the release was were pretty close…

You can subscribe to the podcast at http://ciaops.podbean.com/2012/05/08/episode-29-alan-burchill/

Or listen to it below if you have a HTML5 browser.

With the release of Windows 8 Microsoft has gone back and worked on the fundamentals of the OS to make it more efficient than even Windows 7. This means that the OS does the same (if not more) using less system resources. One of the ways that they achieve this is the way they control the “Group Policy Client” service to only run when required. This “Always On Always Connected” (a.k.a. AOAC) optimization of the service manages basically means that the service shuts down when ever it is not being used thus not using any idle ram or CPU cycles.

So in this post I will take a deeper look at this new AOAC optimisation actually works  …

Firstly the most obvious change you may notice that the Group Policy Client Service will normally not be running. This is entirely fine and there is no reason to worry that the service is not running…

So when a computer does a Group Policy Refresh the Group Policy Client service will start on demand to process the policy update and then stay running for 5 minutes (see image below). This 5 minute delay shutdown is to avoid having to load and unload the service is you are performing multiple GPUPDATE’S in quick succession say for testings…

Note: This service also starts on demand when you perform a GPUPDATE or a remote Group Policy Update.

This service start up is probably going to be sub 1 second any way on most systems it is not an impact you are likely to see.

So you might wounder then how it is still doing its background refresh of the Group Policy if the service is no longer running…. The answer is Scheduled Tasks. Rather than having the service sit idle and check periodically to see if it need to run a schedule task is created for the next time the service need to perform a refresh. But…. Jumping into the schedule tasks Group Policy section will NOT show this however as it is scheduled as the “SYSTEM” account.

However if you use the PSEXEC tool to run as “SYSTEM” you can see this task in the task scheduler…

If you take a look at the history of this task you will see that the task is deleted and a new one is registered during each policy update…

This AOAC optimization behaviour of the Group Policy Client service is only seen on the workstation version of Windows 8 and in Windows Server 2012 the service will stay running as per normal. If you want this service to stay on all the time like it did before then you can do this by enabling the “Turn off Group Policy Client Service AOAC optimization” policy found under Computer Configuration > Policies > Administrative Templates > System > Group Policy.

However this new optimization is pretty much and all Pro and No con’s change and I am hard pressed to wounder why you would ever want to revert this behaviour…

Microsoft has now released the latest version of the Security Compliance Manager v2.5 tool. This FREE tool is your one stop shop for downloading the best practice security guidance and configuration setting for your Microsoft programs. It also allows you to import existing Group Policy Object to then compare these setting against Microsoft template or other custom baseline templates.

This new version also has support for PowerShell allowing you to check for specific configuration setting programmatically rather than via just GPO settings via the DCM feature in SCCM. You will also notice the just released “Win7SP1 Extended DCM Checks 1.0” baseline that checks some of the essential security settings for computer to quickly check what PC’s are complaint in your environment.

Below is a summary of the new features and baselines…

NEW baselines include:

• Exchange Server 2007 SP3 Security Baseline
• Exchange Server 2010 SP2 Security Baseline

Updated client product baselines include:

• Windows 7 SP1 Security Compliance Baseline
• Windows Vista SP2 Security Compliance Baseline
• Windows XP SP3 Security Compliance Baseline
• Office 2010 SP1 Security Baseline
• Internet Explorer 8 Security Compliance Baseline

Other key features in SCM 2.5 include:

• Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project using the Local GPO tool included in this release. SCM enables import of these policies and empowers you to make informed configuration decisions and then export a DCM pack to check for compliance against the golden master configuration.
• Remediation ready: Setting-level severity ratings allow customers to quickly sort, prioritize, and apply Microsoft security and compliance recommendations. In addition severity ratings can now be used to leverage the System Center Configuration Manager 2012 auto-remediation scenarios.
• Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the GPO Pack feature of the Local GPO tool.
• Integration with the System Center 2012 Process Pack for IT GRC: Product configurations are integrated into the Process Pack for IT GRC to provide oversight and reporting of your compliance activities. New compliance-based setting groups that allow quicker and easier compliance reporting and audit preparation when used with the GRC management solution within System Center.

So click here to Download SCM 2.5 from the Microsoft Download Center NOW!

“Group Policy Update” is a feature that allow IT admins to forcibly update group policy on all the computer in an OU. This feature works by creating a scheduled task on the workstations to run the gpupdate command within the next 10 minutes. This feature is fairly simple implementation with the GPMC console just scheduling the task to run remotely on any computer that is online at the time is run.

Note: This means if the computer is offline for any reason then they policy will not be updated on the computer.

I have mentioned this feature in my previous post What’s new with Group Policy in Windows 8 but I have now updated the screen shots and added the required firewall configuration changes to enabled this feature.

Firewall Prerequisites for Group Policy Update

Before this feature works you first need to configure the firewall to on all the remote client computers to allow GPMC to configure the remote task to perform the remote policy update. To configure this you need to make sure that this is done at least two hours in advanced to allow the policy changes to propagate.

The required firewall rules that need to be enabled on the client are:

• Remote Scheduled Tasks Management (RPC)
• Remote Scheduled Tasks Management (RPC-EPMAP)
• Windows Management Instrumentation (WMI-IN)

Step 1. Edit a Group Policy Object that is targeted to the computer objects that you want to enabled this feature.

Tip: It is conceivable that you will want to create a new GPO linked at the domain level so that it will be enabled automatically for all computers but this is of course up to you.

Step 2. Open the policy to Computer Configurations>Policies> Windows Settings> Security Settings> Windows Firewall with Advanced Security then right click on Windows Firewall with Advanced Security and click on “New Rule…”

Step 3. Click on “Predefined” option and then select the “Remote Scheduled Tasks Management” rule then click “Next”

Step 4. Now click “Next”

Step 5. Click “Finish”

Now repeat steps 2 to 5 and this time select the “Windows Management Instrument (WMI)” option.

Optional: Now that you have enabled the firewall rules it is advisable that you go back and change the scope of the rule change to only apply in the Domain Profile. This ensures that these ports are now open when you are connect on a public or home network connection.

Step 6. Right click on the firewall rules and click on the Properties of the firewall rule.

Step 7. Click on the “Advanced” tab and un-check the “Private” and “Public” profiles.

Now repeat steps 6 and 7 for each of the 5 rules to make sure each rule only applies to the “Domain” profile.

Now that the firewall rules are created you will need to wait at least 2 hours to ensure that rules have propagated…

To confirm the settings have applied you can view the Firewall rules configured on the computer affected (see images below).

How to perform Group Policy Update using GPMC

The following explains how to run the “Group Policy Update” against a group of computers.

Step 1. Open GPMC

Step 2. Simply right click on the OU that you want to perform the update on and click on the “Group Policy Update…” option.

Note: If there are no computers in the OU that you selected you will get this message (see image below).

You will now be information how many computers are about to affect. If you are concerned about what this do to your network load then of course make sure that only do this on a few computer at first and then ramp up when you become more confident that it will not grind you network to a halt.

Step 3. Click on “Yes”

You will now see the results of the Policy Update

To check that the Group Policy Update has been pushed out check the “Group Policy” scheduled task section.

You will notice there are two scheduled task created, one for the computer the other for the user that is logged onto the computer.

Warning: If the Group Policy Update that you are running asks for them to reboot of log off the computer then they will be prompted to  log off.

How to perform Group Policy Update using Powershell

You can also run the Group Policy Update via a Power Shell command to target this command against a single computer. You could then use this command with other PowerShell commands to apply it to all computers in an OU or even a domain.

The command “Invoke-GPUpdate” also enables a few more options such as running the Group Policy Update with the –boot –force or –logoff options.

TIP: You need to run the “Import-Module GroupPolicy” before the “Invoke-GPUpdate” command.

As always be careful before making any changes in your environment… If the changes you are making to the computer can possibly have a large load on the network then running this command could potentially cause a lot of performance issues for your network.

That being said it is still nice to have this feature at your disposal in case there is a setting that you need to push out an change quickly…

Additional Reference See: http://technet.microsoft.com/library/hh831791.aspx

Just letting you all know that today I got an email confirming that my MVP status is being renewed for 2012. It is a real honour to get this award in what will be a really exciting time with all the new exciting new information to be share this year with the release of a new version of Windows.

Sidenote: Being an April MVP means that we get the email sent to us on or around April 1st which can be very cruel…