Windows server 2019 Active Directory GPO's blocked by Windows 10 firewall when forced from the serve

Copper Contributor

I work in a small business and and I am the  part time server admin with not much experience.  We are migrating from 2008 R2 to 2019.  I have Windows Server 2019 AD installed in a test environment with two Win 10 PCs.  Everything is a vanilla out of the box installation for both the server and clients.  Built my first GPO to test  Forcing an update of the GPO from the AD server failed.  Turned off the firewall for client 1 and voila, the GPO was deployed when forced from the server.   Later in the day, logged onto client 2 and found that even though the force from the server did not work earlier, my GPO was deployed.  


In my searching, I found mentions of inbound RPC rules that can be turned on at the client to allow forcing GPOs from the server.  


I just want to confirm that I am not missing something here.  My understanding from this is exercise is:

1.  standard GPO deployment is performed by the local client initiating the process at boot time for computer policies and when an user logs in for user policies

2.  If I want to be able to force updates from the server, then I will need to deploy firewall rules opening up the needed rpc ports on the client for the inbound traffic


Do I have this right?  Thanks for any clarifications. 


3 Replies
best response confirmed by severt (Copper Contributor)

There are two separate issues here. Are the clients getting the GPOs and can you force a GPO update of the client from the server.

The clients should get the GPOs applied according to the normal GPO processing methodology:

Group Policy Basics 1Group Policy Basics 2Group Policy Basics 3

Assuming the clients are getting the policies applied through the normal mechanisms, the second issue is whether or not you can force a GPO update from the server. In order to allow the Windows 10 workstation to receive the command from the server, Windows Remote Management needs to be enabled in the workstation (Windows Remote management is enabled by default in the server OS but not in the workstation OS).

The easiest way to do this is to create the starter GPOs in the Group Policy Management Console in the server. There is a starter GPO that enables remote management that you can link to the OU that contains the client systems. Allow that GPO to apply (or trigger it locally on the workstation) and then reboot the workstation. You should then be able to force additional GPO's to apply from the server.

Hope this helps.

Ed Gallagher, MVP