Computers not patched by SCCM due to cached Group Policy WSUS setting

One of my customers had a lot of computers that didn’t receive patches because of an old group policy setting cached on the client pointing to a decommissioned WSUS server. Specifying a WSUS server in GPO is not necessary when patching clients with software updates in SCCM. Removing this group policy fixed the issue on a lot of computers, but we still had too many computers that where not compliant. GPO cache on the clients was the issue. and this is how we fixed it.

We had to delete the GPO local cache. The GPO cache file is named Registry.pol and is located in “C:\Windows\System.32\GroupPolicy\Machine\”

I created an application with a single Powershell script that we deployed to all non-compliant computers. The application was a simple Powershell script that deleted registry.pol when executed and then run a “gpupdate / force” to make sure new group policy was applied immediately.

Remove-Item C:\Windows\System32\GroupPolicy\Machine\Registry.pol
echo y | gpupdate / force

Powershell was once again used for detection method of this application. I wanted to make sure that any non-compliant computer that had a registry.pol older than today’s date was detected as not installed, while clients with a registry.pol file from today or newer was detected as installed.

$date = (Get-ChildItem C:\Windows\System32\GroupPolicy\Machine\Registry.pol).CreationTime.ToString('ddMMyyyy')
if ($date -ge '20161004') {
   Write-Host "Installed"

Then I deployed this application as a required deployment to a collection containing all non-compliant computers, and it fixed it. They started patching and are now compliant.

Anders Rødland

Anders Rødland started his IT career in 2006. My main focus is MS Configuration Manager and client management, and I have passed 17 Microsoft certifications since then. My main expertise is on client management with Microsoft Endpoint Manager: Intune and Configuration Manager. I also do a lot of work on the security side with Microsoft Defender for Endpoint. In addition to my Microsoft certification, I also have an ITIL v3 Foundation certification. This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.