Allow option for GPO processing during Task Sequence
Right now GPO processing is disabled during TS execution. This is annoying as quite often there's settings and environment configuration for a machine pushed by GPO, and right now they only apply at the end of the TS.
It would be nice to have an explicit "process group policy" step in a TS, which would be the equivalent of a "gpupdate /force".
Leaving status as Noted – see https://blogs.technet.microsoft.com/configmgreng/2016/03/11/configmrguv/
We don’t do anything explicit to block GPO processing, in earlier Windows versions that wasn’t the case but GPO apply was problematic in some instances
Our next step for this item is clear explanation of how GPO relates to OS Deployment Task Sequences and standalone Task Sequences.
David Stein commented
This could be a mess if the Default Domain GPO has been heavily modified, or if there are problems in the GPO infrastructure (excessive loop-backs, WMI filters, etc.) which could grind the process to a halt and cause time-outs. I could see having the option to "allow" or "deny" GPO processing until the very end though. Otherwise, just add a "Run command" step at the end to invoke "GPUPDATE" (if there isn't a forced reboot)
Robby Moeyaert commented
Basically a lot of configuration is done via GPO that can be quite critical during OSD.
Main example: Bitlocker.
Quite often you have a Bitlocker GPO defined that says for example "Encryption is AES-256, store TPM password in AD".
However, during OSD, as this GPO doesn't apply, the TS will just use the default settings of Windows, which in this case would be enabling Bitlocker with AES-128, which isn't what you want.
The current workaround is manually using "run commandline" steps in your TS to set the exact registry keys you set with that GPO. That's redundant work and can be error prone.
There are many other examples like this too.
Beyond that, by default after OSD finishes GPO hasn't applied. You need to use some _SMSTSPostAction to do a gpupdate /force and reboot to be even closely sure that GPO will be applied. This is important in high security environments where GPOs are used to enforce a Secure Configuration Baseline such as the CIS benchmark.
Actually I think its good, that GPO processing is blocked during OSD. We make sure to get policies applied after the TS by doing a Reboot when the TS is finished using the SMSTSPostAction Variable with a shutdown.exe command.
Well, this is technically possible. There is a registry setting you need to add that enables group policy during the OSD. Then you can add a step to do a GP Update. We do this at the end of our task sequence. But I agree. It should be built-in to the OSD as an option to run at the end.
Please add this functionality!!!!!!!!!!!!!!!!!!!!!!!!!
Henk Hoogendoorn commented
Many customers asking me the same question: Is it possible to apply Group Policy during or at end of OS deployment? My answer is as always: No, this isn't possible, because Microsoft doesn't allow it. It may or will break you task sequence deployment. Therefore some steps needs to be applied to get the job done.
Trick is you need to logon first, apply group policy, and logoff or shutdown again. It is possible, but needs a lot of custom configuration to make it happen. Hope that Microsoft can apply some changes, where Group Policy can be applied during OS deployment, without the risk that OS deployment is breaking.
At customers I visit, this is one of most frustrating items missing. Will hope for a future release for sure.