One of my customers had a lot of computers that didn’t receive patches because of an old group policy setting cached on the client pointing to a decommissioned WSUS server. Specifying a WSUS server in GPO is not necessary when patching clients with software updates in SCCM. Removing this group policy fixed the issue on a lot of computers, but we still had too many computers that where not compliant. GPO cache on the clients was the issue. and this is how we fixed it.
We had to delete the GPO local cache. The GPO cache file is named Registry.pol and is located in “C:\Windows\System.32\GroupPolicy\Machine\”
I created an application with a single Powershell script that we deployed to all non-compliant computers. The application was a simple Powershell script that deleted registry.pol when executed and then run a “gpupdate / force” to make sure new group policy was applied immediately.
Remove-Item C:\Windows\System32\GroupPolicy\Machine\Registry.pol echo y | gpupdate / force
Powershell was once again used for detection method of this application. I wanted to make sure that any non-compliant computer that had a registry.pol older than today’s date was detected as not installed, while clients with a registry.pol file from today or newer was detected as installed.
$date = (Get-ChildItem C:\Windows\System32\GroupPolicy\Machine\Registry.pol).CreationTime.ToString('ddMMyyyy')
if ($date -ge '20161004') {
Write-Host "Installed"
}
Then I deployed this application as a required deployment to a collection containing all non-compliant computers, and it fixed it. They started patching and are now compliant.
