RE: [mssms] RE: Problems applying GPOs with Windows 10?

[Marable, Mike]

Okay, here is a rough draft of what I’m going to test later this afternoon.

SMSTSPostAction – Run BuildComplete.cmd
BuildComplete.cmd
                PowerShell.exe –ExecutionPolicy Bypass –File 
C:\BuildComplete1.ps1

[BuildComplete.cmd finishes, exits and returns control back to the task 
sequence engine]


BuildComplete1.ps1
                Start-Sleep –s 30 # Sleep 30 second to allow TS to close out
       GPUpdate # Perform a GPUpdate to “kickstart” GPO processing
       Start-Sleep –s 30 # Sleep 3 seconds to give GPO processing time to sort 
itself out
                # Code to schedule part 2
                                $A = New-ScheduledTaskAction -Execute 
"PowerShell.exe" -Argument "-ExecutionPolicy bypass -file C:\BuildComplete2.ps1"
$T = New-ScheduledTaskTrigger -AtStartup
$P = New-ScheduledTaskPrincipal -UserId "SYSTEM"
$S = New-ScheduledTaskSettingsSet
$D = New-ScheduledTask -Action $A -Principal $P -Trigger $T -Settings $S
Register-ScheduledTask "BuildComplete2" -InputObject $D
                Restart-Computer # Reboot the machine

[Computer boots up and runs BuildComplete2.ps1]

BuildComplete2.ps1
GPUpdate # Perform a GPUpdate to “kick” GPO processing
       Start-Sleep –s 30 # Sleep 3 seconds to give GPO processing time to sort 
itself out
       # Just because I’m a glutton for punishment…
GPUpdate # Perform a GPUpdate to give GPO processing a second kick in the pants
       Start-Sleep –s 30 # Sleep 3 seconds to give GPO processing time to sort 
itself out
       Unregister-ScheduledTask -TaskName "BuildComplete2" -Confirm:$FALSE

       # Code to configure auto login Registry keys
<#..#>

       Restart-Computer # Reboot the machine

Hopefully this will take care of things.

Thanks
Mike





From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Marable, Mike
Sent: Wednesday, September 9, 2015 10:49 PM
To: ms...@lists.myitforum.com
Subject: Re: [mssms] RE: Problems applying GPOs with Windows 10?

I’d go with the “Windows Feedback” app [except that I’ve blocked it with 
AppLocker ;-) ].

This is going to stink.  But I guess if that’s what is needed for the time 
being then that’s what I’ll have to do.

I’m thinking PoSh script runs through it’s GPUpdates (if that’s helping at all) 
and sets up a scheduled task to run at bootup.  That task runs another script 
that (for the sake of trying) runs GPUpdate, then removes its scheduled task 
and then reboots.

Our deployment techs are not going to like it and there may be pitchforks and 
torches in my future but if it’ll get the job done…

Mike


From: <listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> 
on behalf of Todd Mote <mo...@austin.utexas.edu<mailto:mo...@austin.utexas.edu>>
Reply-To: "ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>" 
<ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>>
Date: Wednesday, September 9, 2015 at 9:13 PM
To: "ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>" 
<ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>>
Subject: [mssms] RE: Problems applying GPOs with Windows 10?

What can we do about it?  Where is appropriate to file this?  How can we get 
this some visibility? I don’t think there’s a Connect site for Windows is 
there?  Uservoice?

Todd

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Johns, Damon (DoJ)
Sent: Wednesday, September 9, 2015 5:51 PM
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: [mssms] RE: Problems applying GPOs with Windows 10?

Yes can confirm that same behaviour in my domain – workstations require at 
least 2 restarts before all the Group Policy objects are applied to my Windows 
10 instances – it was quite noticeable as the branding GPO hadn’t applied after 
my OSD Task Sequence completed even with the SMSTSPostAction set to do a 
restart.

Cheers
Damon

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Wednesday, 9 September 2015 9:42 PM
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: [mssms] Problems applying GPOs with Windows 10?

Has anyone else had problems with GPO processing on Windows 10?

I’m currently working on the Windows 10 replacement for one of our Windows 7 
products and consistently I’m seeing GPOs not applying in a timely fashion (in 
particular the AppLocker policies).  Once the machine is built I have to reboot 
it a second time to get all the policies in place.  The Windows 7 equivalent 
never had this problem.

Here is what I’m dealing with.  I have a single task sequence that will build 
using either Windows 10 or Windows 7 depending on a task sequence variable.  So 
the builds run through the same exact steps.  They are placed in OUs with 
identical GPOs applied.  I originally was setting the SMSTSPostAction variable 
to do a “shutdown –r –t 0” to reboot the machine at the end of the build.

On a Windows 7 build the machine comes up with all GPOs processed.  It has the 
proper wallpaper and all the restrictions are in place.

On a Windows 10 build the machine comes up and it has the wrong wallpaper and 
none of the restrictions are in place.  I have to reboot it a second time and 
only then does it come up properly.

Trying to resolve this I’ve set up a clunky hack at the end of my task 
sequence.  SMSTSPostAction calls a batch file.  This batch file calls a 
PowerShell script.  The PoSh script sleeps for 30 seconds to allow the batch 
file to exit, return control back to the TS and so the TS can close out.  The 
PoSh script then continues with resetting the Provisioning keys in the 
Registry, sleeping another 30 seconds, does a GPUpdate, sleeps, does another 
GPUpdate, sleeps and then restarts the computer.

With this in place the system comes up with most of the GPOs in place (i.e. the 
wallpaper is proper) but what concerns me is that the AppLocker policies that 
should have hidden “Search”, “Contact Support” and “Windows Feedback” did not 
apply.  They are all still present on the Start Menu.  Now “Contact Support” 
and “Windows Feedback” report that they are blocked by the administrator, so 
although not perfect at least they are blocked.  But the Search feature is 
still fully functional which allows the user (the general public in this 
scenario) to search and find things like PowerShell.  Once I reboot the machine 
a second time the AppLocker policy fully kicks in and Search is disabled.

Once this second reboot has happened all new users who log in receive the full 
GPO settings so AppLocker prevents the Universal apps from appearing on the 
Start Menu, Search is disabled, etc. but only after the second reboot.

I don’t want to further hack this and I’m hoping I’m just too deep in the woods 
and am missing something simple, but my next step will be to script in an 
immediate second reboot.

Again, I have none of these troubles building a Windows 7 machine.  Windows 7 
is 100% ready immediately post build.

Mike Marable
Microsoft Systems Engineer Lead
Enterprise Device Engineering and Management
MCPS, MCITP, MCTS, MCSA, MCSE, MS  
[Profile<http://www.mycertprofile.com/Profile/5319166625>] 
[Blog<http://thesystemsmonkey.wordpress.com/>]
----------------------------------------------------
"The difficult we do at once. The impossible takes a little longer."
-US Army Corps of Engineers

"It is better to have less thunder in the mouth and more lightning in the hand."
-Apache Proverb

I will rise when I have fallen.

"Unless you try to do something beyond what you have already mastered, you will 
never grow."
-Ralph Waldo Emerson


**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues


________________________________

CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by 
legal professional privilege, and is intended only for the person or persons to 
whom it is addressed. If you are not such a person, you are warned that any 
disclosure, copying or dissemination of the information is unauthorised. If you 
have received the transmission in error, please immediately contact this office 
by telephone, fax or email, to inform us of the error and to enable 
arrangements to be made for the destruction of the transmission, or its return 
at our cost. No liability is accepted for any unauthorised use of the 
information contained in this transmission.



**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues

**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues