How to bypass PC reboot when applying group policies. Part 2. Last

Now about the most interesting part.

Let's create a GPO. It doesn't matter which one. I did it to block flash drives so that its use could be seen. This is described in part 1.

Preparing Group Policy for the computer.

Not for the user. It will work for the user only after the machine is rebooted.

All. The GPO has been created. For now, we do not touch it and do not associate it with any user OU.

Now let's configure the operating systems.

Let's start with Windows 7 (Ultimate).

The procedure may vary.

1. Right-click on “Computer” – Control:

Computer\Management\Services and Applications\Services:

SSDP detection – includes support for SSDP (Simple Service Discovery Protocol) – enable\automatically (if not enabled or set “manually”).

Generic PNP Device Node -– service, which provides support and management of UPnP devices – enable\automatically (if not enabled or set “manually”).

These services are responsible for the computer's sharing settings.

2. Open the firewall in enhanced security mode\Rules for incoming connections.

Looking for remote scheduled task control (RPC) – we turn everything on.

1. Disable the WinHTTP traffic automatic configuration functions in the registry.

1. Open the registry editor (regedit) with administrator rights.

2. The required registry entry is located in the section: “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc”. This is a DWORD value called Start. The default value is Value = 3 (Enabled)

3. Double click to edit this key and set its value to 4 (Disabled)

4. Click OK to save the changes.

5. Restart Windows.

2. Enable the automatic window adjustment function in Windows

1. Open the registry editor (regedit) with administrator rights.

2. The required registry setting is located in the section:

“Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.”

3. Expand WinHttp and create a DWORD value. Let's call him TcpAutotuning and assign a value equal to 1.

4. Click OK to save the changes.

5. Restart Windows.

This completes the setup of Windows 7.

Setting up Windows 10.

1. Repeat the first point as for Win 7.

2. Open the firewall in enhanced security mode\Rules for incoming connections.

Looking for remote scheduled task control (RPC) – we turn everything on.

Looking for Windows Management Instrumentation – turn everything on.

1. Disable enhanced protection when accessing sysvol and netlogon.

In the command line, enter – cmd. Run the following commands:

Team No. 1

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v “\\*\SYSVOL” /d “RequireMutualAuthentication=0” /t REG_SZ /f

Team No. 2

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v “\\*\NETLOGON” /d “RequireMutualAuthentication=0” /t REG_SZ /f

2. You need to install RSAT packages from the Internet.

RSAT – Remote Server Administration Tools – tools for remote server administration.

Install all packages if they are not installed.

1. We carry out paragraphs. 3 and 4 as for Win 7.

This completes the Windows 10 setup.

Well, the last stage. Server setup.

1. Open “AD Users and Computers”.

2. Open the shared folder called “Computers”.

1. Drag Ivanova’s computer, on which we need to apply the GPO, into the OU of the user we need – in this case, into Ivanov’s OU.

1. Link Ivanov’s OU with the necessary policies

All. You don't need to do anything else.

We connected Ivanova's computer with politicians. If you reboot Ivanova’s computer, the policies will be applied anyway. But I need the policies to be applied without rebooting.

Open Powershell. And insert this command:

Invoke-GpUpdate -Computer “ХХХХХХХХ” -RandomDelayInMinutes 0 -Target Computer

Instead of crosses, enter the name of the computer.

Ivanova's computer name is WIN-10-1809. This is the name we enter.

Invoke-GpUpdate -Computer” WIN-10-1809″ -RandomDelayInMinutes 0 -Target Computer

Press Enter.

(I have different computer names, because I work on different machines at once and take screenshots from them).

If, after entering the command, you see the last line of the command waiting, and not an error, then the command was executed correctly and the policy should be applied.

If the user's computer is turned off or in sleep mode or something is wrong, the following window will appear

nvoke-GpUpdate -Computer” WIN-10-1809″ -RandomDelayInMinutes 0

This command enables quick enforcement of policies. A zero at the end means that the time to execute the policy is 0 minutes. It is this command that applies the policy to the computer and the user. We don't need this.

-Target Computer – This addition means that the policy is applied only to the computer.

-Target User– This addition means that the policy applies only to the user.

And since we need to apply policies to the machine, then we give this command:

Invoke-GpUpdate -Computer” WIN-10-1809″ -RandomDelayInMinutes 0 -Target Computer

After executing this command, the policies should be applied within 1-2 seconds. This is how I use it.

PS

On Windows 7, policies also began to be applied after 2 seconds. I haven't enabled the automatic window setting feature in Windows.

And again I can almost see the comments – why invent such a mess?

I immediately answer all those who want to say this – I wanted to achieve instant execution of Group Policy without rebooting the client’s computer. I solved this issue. Purely technical interest.

And one last thing. If anyone has found a more convenient option, please share, don't be greedy.

That's all. Now that's all for sure.

Thanks everyone. And good luck.

.