Link to home
Start Free TrialLog in
Avatar of RyanIrish
RyanIrish

asked on

SBS 2011 Win10 GPO/WMI filtering issues

Hello all,

I've been fighting this issue on and off for 3 years, and I'm no closer to solving it than I was back then...hopefully someone here can help.

I cannot figure out how to apply GPO settings to Win10 clients via SBS.  I've tried to follow guides in the past, I've asked for help on multiple forums, including this one, but the struggle continues.  Here is what I have as it stands:

WMI filter created for Win10
User generated image
A simple GPO restricting Control Panel access
User generated image
GPO linked to the filter
User generated image
On my test client, from an elevated command prompt, I try "gpupdate /force"
User generated image
GPresults:
User generated image
I'm not sure why my test policy isn't applied, but the Windows SBS Client - Windows 10 policy is applied.  I've been fighting this on and off for so long I don't even recall if I created that object or inherited it...but that GPO is linked to the same WMI filter.  

I'm so confused...safe for you to assume I know nothing about how this should look as my GPO management is now full of old failed attempts and garbage I've left behind from testing/experimenting and I'm not even sure anymore what is good and what is trash.  What a mess...

Thanks for any help or advice.
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Are you linking the GPO to the OU with the computers and/or users in it? WMI filters aren't GPO links. They are filters to ensure that the GPO only applies to computers that match the WMI filter *in the OU the GPO is linked to*. Sorry if you've done this already, but your screenshots don't show it. Also, if the GPO is linked to an OU of computers, it needs to have Loopback policy processing enabled to apply to users that log in with the settings you have shown.
Avatar of RyanIrish
RyanIrish

ASKER

Sorry, Adam, I forgot to include that...
User generated image
This part adds to my confusion, as I see policies listed on the client that are not on this list of applied GPO's.
Your WMI query looks different to mine?

Windows 10 Create a WMI Filter for Group Policy


Pete
Ok. You have a GPO with user policy settings linked to an OU of computers. You need to enable loopback policy processing to allow those settings to apply when users log in: https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy
So maybe this is my problem...I've been trying to link to the SBSComputers.  I see now that the policies being applied are listed at the domain level.
User generated image
@Pete, yes, it is different, I don't have the product type string, I'll edit mine.

@Adam  I'll follow that link, thank you.

Edit:  You guys rock, partial success, which is still huge!  So on my test client, the policy applied and works once added at the domain level.  I'm assuming it will also work if I add to the SBSUsers OU.  User policy applied to computers...sigh...sometimes I disappoint myself greatly.

Now I just need to figure out why some of my Win10 clients fail when I attempt to force a policy update.  A few just hang here indefinitely
User generated image
Others just flat out fail
User generated image
This is what I'm used to dealing with, the policy never even applying...the success on my Win10 tester is an anomaly for sure.

All of my win10 clients are laptops, all connected to the same wifi network, same AP, etc.  All can ping the DC, access shares, etc.
Test the laptop connected via lan port.  I bet it will work. They are logging into the laptop with cached credentials, reading the WiFi configuration from the user profile and then connecting to the network.

Group policy for computer policies happen at boot when the Ethernet connects to the network. Group polices for users happen at logon to the workstation.  Since the laptop is not connect to the network or the domain  until after the user logs policies won’t work as you would expect.  There is a way around this but I can’t remember exactly and I am on mobile.  

Since you are applying a computer policy to users using loopback, the most difficult group policy scenario, it makes it more difficult to trouble shoot.  Try it via lan port, it may take a few reboots and logins for all group policies to get applied. If it works via LAN port it’s just a matter of making it work via WiFi.  

Let us know your results for a lan port so we know what issue is left.
If I remember correctly there is something like a wait for network option or slow network option for group policies?  Not sure but that may be it once I am in a position to look at my gp console I can find it.

How do you make the WiFi connection 802.11x and Mac via via radius might have been the solution.
I'll try that, thanks Madison!  For what it's worth, I have not yet enabled loopback, but rather linked the GPO at the domain level, which seems to have worked.  Do I still need to enable loopback in this situation?  Sorry for needing help at every step, this is all pretty foreign to me.

You're right, one of the uncooperative laptops did update when connected via lan port!  The one laptop that was successfully applying the policy is also connected via wifi, so odd that it worked on wifi.  Now if only all of them would update while on wifi...maybe the loopback has something to do with that?  

So now that we've sorted out a few issues, I'm left with the main reason for chasing this down, controlling updates on the Win10 clients.   I know as much about WSUS as I do GPO control, so bear with me as a stumble through this...my apologies for jumping around, but I assume this is all related.

Ok, the policy I assume controls updates is here, yes?

User generated image
The GPO is linked to the Windows SBS Client WMI, which should include Win10.  
User generated image
I'm confused by the security filtering window, which lists most of the PC's on my domain, but not all.  I've never manually added anything to this list and several Win10 clients are there, but yet the user still has to manually update.  The Win10 client I've been using to test all of this, is not on the list.  I'm not sure what determines if a machine is part of this filtering list or not, nor do I know Win10 clients on the list are unaffected and not controlled by WSUS.

Apologies all around, I know it's frustrating to try and help when there are so many moving parts and I'm not exactly helping the cause with my lack of understanding.

Edit:  My Win10 test client shows "Update Services Common Settings Policy" under gpresult, but not the "Update Services Client Computers Policy"...yet again, I'm not even sure which is 'supposed' to be, but I can only assume that I should see the client computers policy as well.
If has more to do with location of the gp in the directory.  If you got it to work by moving it you should be fine.  Don’t turn it on if it’s working at all.  Loopback is a pain and imo should be used as little as possible.

Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based upon the computer from which logon occurs. Breaking this down a little more: ... When enabled, user settings from GPOs applied to the computer apply to the logged on user.
Add the computer account to the securities tab for testing.  If it works great.  

Check to see if domain computers security group is in the security tab.  There was a security patch that adjusted the securities for group policy.  This was a while ago and if memory serves me it removed something from the securities tab or changed the defaults when a new gp is created.   Can’t remember the details but I think this is it.  https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/

If it works on all computer listed in the securities tab just add the computer, use an existing security group or create a new one.  When joining a computer to an sbs domain you should run the sbs client to perform the connection.  There are a number of things that happen behind the scene like putting the computer object in the sbs-computers ou instead of the default computers ou configuring the computer for WSUS etc.  if you didn’t use the client those things would have to be done manually.
Manually adding my test machine seems to work, as the update window shows the expected "settings are managed by your org."

I still have Win10 machines reporting as Vista machines in WSUS, but I'm sure I can Google a solution to that one.

I also don't see a single update for Win10 in WSUS...I'll try and remedy the misreported OS first and see if that changes anything.

I have a few laptops with no LAN port, so once I figure out how to get around the GP update issues via wifi, I might actually have this sorted out.

Thank you!
ASKER CERTIFIED SOLUTION
Avatar of Madison Perkins
Madison Perkins
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Same subnet.  I'll follow that advice and see what happens.  Thanks again, happy to be close to resolving this one...having control of the updates will be a welcomed change.