GPUpdate – How to Force Group Policy Update Remotely

GPUpdate – How to Force Group Policy Update Remotely

There are times when administrators need to force GPUpdate remotely to make sure the computer configurations and user experience (UX) in their domains meet all set policy standards. These standards – which may be set by the business that owns the domain or as part of a prerequisite to compliances – can be applied to all connected devices.

In this post, we will look at how you can use this tool to ensure the security of all assets on your network as well as adhere to local and industry compliance requirements.

What is Group Policy?

Group Policy allows Windows network administrators to define security policies for users and computers. These policies – collectively known as Group Policy Objects (GPOs) – are based on a collection of individual Group Policy settings.

Group Policy is one of Windows’s most powerful features that help administrators control all user accounts within their business’ Active Directory or any other domain controller. These policies also allow them to manage and control the configurations of all connected devices. And the best thing is they can do it all from a central location.

Group Policy is also a feature that controls the users’ working environment in an organization. It aims to provide a uniform look and feel as well as standard security features to all their computers and user accounts.

From an administrator’s point of view, it gives them centralized control over the configuration and management of all the systems in their network, along with control over user settings in Active Directory.

Now, although Group Policy, as we have just seen, has the potential of keeping a network secure and under tight control, it does have a drawback. This drawback is that it is updated in the background every 90 minutes. Alternatively, the update can be forced by rebooting the client system.

But, there may come a time when we may need to update the Group Policy immediately – without having to wait for computers to restart. This would especially be an issue in large businesses where there are hundreds of connected devices and restarting them would interrupt mission-critical processes.

This is why you may need to force GPUpdate remotely at randomized intervals without bringing the network to a stop.

With this in mind, we will have a look at various ways of updating the Group Policy remotely.

But, we are getting ahead of ourselves. Let us start with some definitions…

What is GPUpdate?

GPUpdate is a Windows command – its executable program name is gpupdate.exe – that is built into all client and server versions of the operating system.

Earlier, we had seen how, by default, a policy update takes Windows about 90 minutes – or a reboot – to implement.

But, there may arise an occasion when this isn’t fast enough. Perhaps there is a new patch that needs to be applied immediately. Or perhaps a new definition of antivirus has been sent out as a response to an attack and all clients are required to pull the definitions immediately.

Regardless of the reason, when an administrator needs to push out a policy update to the entire domain, they can use the “GPUpdate” command to force a policy update.

NOTE: several methods are available during instances where group policies need to be updated immediately without waiting for computers to restart. These methods are via the command prompt, using PowerShell commands, and through the Group Policy Management Console (GPMC).

Group Policy Update – Syntax and Arguments

Let us now go ahead and have a look at the syntax and arguments to the GPUpdate command as well as details of each argument to see how they can help you.

The basic commands to update group policies on a local or remote computer include:

  • GPUpdate /force – to force a local group policy update
  • GPUpdate /target: computer /force – to update all policies on a remote computer forcefully
GPUpdate - full syntax

GPUpdate – syntax and arguments list

Some of the parameters you can use with the command include:

  • [Target:{Computer | User}]– use arguments to specify whether users or computers must have their GPOs updated by force. If the target object is not specified both computers and users are updated.
  • [/force]– use this parameter to force update all Group Policies. If this parameter is not specified, only policies that have been changed will be refreshed.
  • [/Wait:value]– with the Wait parameter you get to specify the duration of time – using the “value” argument – that has to pass before initiating the force update process. This is intended to allow the policy update to finish its processing. The default value is 600 seconds, a value of 0 means the command will be initiated immediately while a value of -1 will make it wait indefinitely.
  • [/logoff]– this optional parameter is used to log a user off of a computer once its Group Policy has been updated.
  • [/boot]– this optional parameter is used to reboot the computer once the GPO update process is complete.

GPUpdate vs GPUpdate /force

There are two ways you can apply the GPUpdate command. The first is by simply running the executable as “GPUpdate” and the second is to run it with a “force” argument.

Looking at the differences between GPUpdate and GPUpdate/force we have:

  • GPUpdate – the basic command only applies policies that have changed. For example, if you were to update the policy that enabled the windows lock screen, running GPUpdate would only push that policy out to the clients.
  • GPUpdate /force – but when you add the /force argument, all policies are reapplied. It means that if you have a total of 30 set group policies, all 30 of them will be sent out and reapplied to the clients.

Default Process to Force GPUpdate Remotely – Using GPMC

By default, a Group Policy update takes between 90 and 120 minutes. However, if for some reason you can’t wait that long, you can resort to a manual running of the GPUpdate command on each client followed by a forced update.

The GPMC is the menu that is used to run both local and remote Group Policy updates for an Organizational Unit (OU). When you select an OU to remotely update their Group Policy settings on all the computers under it, the following three steps take place:

  1. An Active Directory query returns a list of all computers that belong to that OU
  2. For each computer that belongs to the selected OU, a Windows Management Instrumentation (WMI) call retrieves the list of signed-in users
  3. A remote scheduled task is created to run GPUpdate.exe /force for each signed-in user and once for the computer’s Group Policy refresh.

The update task is scheduled to run at random delay intervals of up to 10 minutes to decrease the load on the network traffic. The random delay cannot be configured when you use the GPMC but can be configured when the Invoke-GPUpdate cmdlet, which we will see next, is used.

How Best to Use GPUpdate – Using the Command Line

When it comes to the domain setup, and as of Windows Server 2012 (and later versions), Microsoft has added the command Invoke-GPUpdate to PowerShell to provide a flexible and programmatic way to force group policy updates both locally and remotely.

This update can be performed on any network that has a server running Windows Server or later and regardless of the client machines’ operating system – be it Windows 7, Windows 8, or the Windows 10 generation operating systems.

As a prerequisite, the server needs to have the GPMC installed on the machine and can be enabled as part of the Remote Server Admin Tools (RSAT).

Now, the best way to use the command to force GPUpdate remotely is as follows:

  • First, it is best that you first start with the basic GPUpdate command. Most of the time, it is enough to do the job without hogging resources and creating unnecessary overhead.
  • It is only if that doesn’t do the job, or some devices have been left out of the update process, that you can go ahead and resort to the forced update of all your policies to see if that will shake things up a bit.

But, be warned – a full, forced update needs to be done with care. Because, as you can imagine, the larger the network is, or the more devices that are connected to it, the more resource-intensive a policy update becomes. It can also be a slow process if you have many policies in place or large updates that need to be made.

Step-by-step How to Force Group Policy Updates Remotely

Ok, now that we have looked at what policy updates are all about, and seen how we can run them using various methods, let us move on to the step-by-step breakdown of the process to force GPUpdate remotely.

Configuring Windows Firewall

The first thing that needs to be done is to configure the Windows Firewall on all the clients. This is an essential step to allow administrators to update group policies since, by default, Windows Firewall allows all outbound network traffic but only allows inbound traffic that has been permitted by firewall rules.

Therefore, before opening the GPMC, they need to ensure that the firewalls allow inbound network traffic on specific ports.

Note: Windows Server 2012 comes with a Starter GPO called the Group Policy Remote Update Firewall Ports which is used to check if TCP port 135 is configured for Remote Scheduled Tasks Management.

Force Group Policy Update with Group Policy Management Console

Once the client machines’ firewalls have been configured to accept policy update requests, it is time to use the GPMC console to update – or force the update of – their Group Policies.

To do this:

  • You need to open the GPMS
  • Right-click on your Organizational Unit (OU) and click on the Group Policy Update option. Once a forced update is run, it will end with a report showing which updates were successful and which ones were not:
GPUpdate - success and fail

GPUpdate report showing success and fails of updates

And that’s it; you’re done.

Force Group Policy Update Using PowerShell

Group Policy update can also be performed using the PowerShell Invoke–GPUpdate cmdlet. This command will allow you to force updates on remote computers. But you require both PowerShell and Group Policy Management Console to be installed on your system.

To update the Group Policy forcefully on the current system, run the following command in the PowerShell window.

  • To force a GPUpdate:

Invoke-GPUpdate -Force

  • To force a GPUpdate remotely:

Invoke-GPUpdate -Computer RemoteComputerName = RandomDelayMinutes 0 -Force

Note: the “0” value for the random delay argument in the command above tells the OS to refresh the group policy immediately.

  • To force a GPUpdate on all clients in a domain:

$clients = Get-ADComputer -Filter *

$clients | ForEach-Object -Process {Invoke-GPUpdate -Computer $ -RandomDelayInMinutes 0 -Force}

Note: this script above stores all computer objects in the domain in the $clients variable and then loops through them with the Invoke-GPUpdate -Force command.

Finally, Why do We Even Need to Force GPUpdate Remotely?

As a closing point, remember that the main reason for a forced group policy update is because the administrator cannot wait for the normal 90-120 minute (give or take) schedule and needs it to be done immediately.

Some scenarios, where you might have to force update Group Policies, include:

  • A new unscheduled patch has been made available by Microsoft – to plug an exploit or vulnerability – and needs to be applied immediately
  • The response to a new virus or malware threat needs to be addressed immediately and policy updates need to be patched up to do so
  • Perhaps a critical policy setting has been overlooked and needs to be sent out to a particular device
  • There was a restructuring process in an organization resulting in the policies being updated that need to come into effect immediately
  • An administrator is testing group policies and wants to see their effects before rolling them out to the entire domain

But, again, be warned that this is a command that you need to use with a lot of reservation. This is especially true if you intend to force update all the computers on your network. The overhead cost will harm the performance of your endpoints and, thus, the UX of their users. So, try to use the delay argument or run updates on subnets of a network at a time.

Leave a Reply