Windows 10 1903 Group Policy Issues after OSD

Copper Contributor

Hi,

 

We've recently started deploying Windows 10 1903 (First Win 10 version too...) with SCCM 1902 with MDT and group policy appears to apply, according to the logs but then we find certain settings not actually applied, even though a gpresult shows them as being applied.

 

Checking the various reg keys etc. for our policy settings on a client, I have seen that all of our GPO settings get applied and then some but not all get mysteriously removed, for example the Interactive Logon message gets applied but then removed, as in the registry value is removed.

 

Running a gpupdate /force after this has happened, appears to fix the issue.

 

However using the SMSTSPostAction variable to run a script or command to update Group Policy, doesn't work either, the script/command runs (As per log files) but the above does still occur until we run a gpupdate /force (A ordinary gpupdate does nothing, so most of the time reboots etc. do nothing).

 

We have no Group Policy related Group Policy settings (As in the ones that control whether CSEs process during slow links etc. and whether they process even though there are no changes) and we cannot find any other reason for this not to work correctly.

 

I think until we find a fix, using the RunOnce reg key/value maybe the workaround...

 

Would someone at Microsoft be able to confirm whether this is a confirmed issue at Microsoft and whether there is a fix for it please? Or if there is a fix incoming as potentially some of our security related GPOs are not being correctly applied.

 

Many thanks,

 

Luke

15 Replies

@techylukeHi, I seem to be having a similar issue.. did you get any solution?

@vandammages Unfortunately not, disappointed that Microsoft are not acknowledging this issue, this is potentially an enterprise issue affecting lots of customers... We thought things were improved after installing the September cumulative update, but it appears there maybe still some issues

I have just run into the same problem. We have a computer policy to automatically connect clients to corporate WiFi. Upon inspection the computer looks fine and the policy looks like it's enabled, but once we reboot an logon as a user it's gone. Gpresult /r says it's applied, but the computers sees networks it's not allowed to see and no corporate Wifi is to be found. Manual gpupdate on the computer will solve it, but that's not really a viable fix.

Hi 

 

I'm having the exact issue. Please reply if any one come to a solution.@techyluke 

Hi
After trying many things to fix the issue. I have turned the Continuous Availability on the shared servers, the issue seems to be fixed after turning it off.

@techyluke 

We have this issue on 1909 some security settings not applied or removed later. I'm not sure what to configure for our server shares.


@techyluke wrote:

@vandammages Unfortunately not, disappointed that Microsoft are not acknowledging this issue, this is potentially an enterprise issue affecting lots of customers...


Did you report this to Microsoft Support?

 

The community forum is not exactly the best place for such expectations ;)

Yes we'are opened a support ticket for this.

@dpankz Not yet. It looks weird. Some GPO's are not working after a fresh install - but not always the same. Support ticket is still in progress. 1909 is affected too.

Just trying to get this out there on various forums, including TechNet, can't always afford to open a support ticket, plus just having experienced it...
We're still seeing the issue, just having to run GPUpdate a couple of times, but haven't tried 1909, but doesn't sound worth it...

Support case is closed. We now set https://gpsearch.azurewebsites.net/#329 to apply security settings, even if there are no changes on the gpo. Whether or not there is a problem with 1903/09 is ultimately unclear.

Has anyone had an official statement from Microsoft on this? 1909.4 still has this issue and I cannot get the policies to update even with the suggested fix by setting the always process GPO setting.

@DaveT101 

Nothing official from MSFT so far.

Here's another issue we had to deal with: https://www.borncity.com/blog/2020/01/10/windows-10-v1909-und-ein-mgliches-gpo-problem-teil-2/ So we must remove some Defender-GPO's to make things work again.That's very annoying.