Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Allow option for GPO processing during Task Sequence

Right now GPO processing is disabled during TS execution. This is annoying as quite often there's settings and environment configuration for a machine pushed by GPO, and right now they only apply at the end of the TS.

It would be nice to have an explicit "process group policy" step in a TS, which would be the equivalent of a "gpupdate /force".

72 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Robby Moeyaert shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    Leaving status as Noted – see https://blogs.technet.microsoft.com/configmgreng/2016/03/11/configmrguv/

    We don’t do anything explicit to block GPO processing, in earlier Windows versions that wasn’t the case but GPO apply was problematic in some instances

    Our next step for this item is clear explanation of how GPO relates to OS Deployment Task Sequences and standalone Task Sequences.

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Robby Moeyaert commented  ·   ·  Flag as inappropriate

        Basically a lot of configuration is done via GPO that can be quite critical during OSD.

        Main example: Bitlocker.
        Quite often you have a Bitlocker GPO defined that says for example "Encryption is AES-256, store TPM password in AD".

        However, during OSD, as this GPO doesn't apply, the TS will just use the default settings of Windows, which in this case would be enabling Bitlocker with AES-128, which isn't what you want.

        The current workaround is manually using "run commandline" steps in your TS to set the exact registry keys you set with that GPO. That's redundant work and can be error prone.

        There are many other examples like this too.

        Beyond that, by default after OSD finishes GPO hasn't applied. You need to use some _SMSTSPostAction to do a gpupdate /force and reboot to be even closely sure that GPO will be applied. This is important in high security environments where GPOs are used to enforce a Secure Configuration Baseline such as the CIS benchmark.

      Feedback and Knowledge Base