Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, July 23, 2018 5:03 PM | 1 vote
I am running on a Standalone (Non-Domain Joined) Windows 10 machine and I usually make some changes to the GPO settings and most of them are basic settings like BitLocker, Preventing One Drive Storage, Disabling Cortana, and so on...
After making these GPO policy settings, is it just enough to Sign Out or Reboot? Or, do I need to perform the GPUPDATE /FORCE command?
This laptop is NON-Domain joined, just a Standalone.
I heard that GPUPDATE /FORCE is not required for Standalone machines, only for domain-joined in which policies are set on the Domain Controller.
But I need to just verify if by Signing In and Out or Reboot would be just enough.
Thanks!
All replies (5)
Monday, July 23, 2018 5:14 PM
If the Windows 10 machine is not joined to the domain, GPOs will never apply.
Monday, July 23, 2018 5:36 PM | 1 vote
Hello
We use a tool from Microsoft called LocalGPO
http://gallery.technet.microsoft.com/LocalGPOmsi-Excellent-MS-2593b2eb
With this tool you can take a GPO that was built in active directory and apply it to a stand alone non-domain computer.
Basically you need to export the GPO from your AD server. Once you have a copy of it install the LocalGPO msi file referenced above on the stand alone machine.
Copy over the GPO you exported from AD to the stand alone machine and store it in a folder.
Run the following (in our example the GPO was saved to C:\gpos on the stand alone machine)
**MAKE SURE YOU RUN THE LOCALGPO PROGRAM FROM THE PROGRAMS MENU, AND RIGHT CLICK RUN AS ADMINISTRATOR. Do not simply open up a command line.**
cscript localgpo.wsf /path:"C:\gpos\75588BFD-8E0B-4EE0-90D3-16FF5727B575}
Replace the GUID (in green) with the appropriate value that shows up in your exported GPO, the one listed is just for reference.
We have used this many times to apply OS, firewall, energy settings, and IE settings to machines that are not part of the domain.
We have used this on Windows 7 as well as Server 2008 and Server 2008R2.
Regards, Regin Ravi
Tuesday, July 24, 2018 1:33 AM | 1 vote
>>After making these GPO policy settings, is it just enough to Sign Out or Reboot? Or, do I need to perform the GPUPDATE /FORCE command?
In general, sign out has been enough, reboot is used for registry changes, of course it takes effect on GPO. About GPUPDATE /FORCE command, it will force a background update of all Group Policy settings, regardless of whether they have changed. After use this command, you don’t need to sign out or restart.
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, July 24, 2018 5:49 AM | 1 vote
After making these GPO policy settings, is it just enough to Sign Out or Reboot? Or, do I need to perform the GPUPDATE /FORCE command?
...
But I need to just verify if by Signing In and Out or Reboot would be just enough.
Hello,
IMO, either way is fine. For GPOs, if you run gpupdate /force command, it refreshes GPO engine and changes are applied immediately without rebooting the machine. In case if you reboot, the GPO changes will applied and registry will be updated as well.
Regards.
Microsoft MVP (Windows and Devices for IT)
Windows Insider MVP
Windows Help & Support [www.kapilarya.com]
Tuesday, July 24, 2018 7:34 AM | 1 vote
-to refresh user policies: sign out and in again or execute gpupdate (/force is not needed - see command help to understand what /force does)
-to refresh machine policies: reboot or execute gpupdate on an elevated command prompt as admin. /force is not needed.
Both refreshes will be executed after the next regular GPO background refresh interval which is 90 minutes, without you needing to do anything.