0

Most GPO settings are either enforced/user can't change the setting/ or applied only one time /software install/. My question is - if I set a specific registry key using a GPO and the registry key is changed, will the GPO overwrite the registry key with the one set in GPO? We run a specific software, which sets several registry keys in HKLM\Software. We never had any troubles with computers running Windows7, Vista or etc. The problem is that Windows10 for some reason deletes one of these keys every time when it updates. I am asking specifically about registry settings, applied to computers in Active Directory via GPO. Because if the Computer GPO will not override the settings on reboot after they are deleted by Windows10, I would be forced to deploy startup script instead, which will use REG QUERY to check if the key exists and then if it exists - REG DELETE and REG ADD. And if the key does not exist at all - REG ADD to add the key. I want to protect specific registry settings, which Windows10 continues to delete on every update.

Improve this question

1 Answer 1

Reset to default
0

Is the program changing the registry or is your startup script? It is best to use group policy instead of startup scripts. You will enjoy more reliability, consistency, and security.

Anyways, on to your question. Yes, GPOs refresh every 90 minutes, on reboot, and upon receiving a gpupdate /force. Refresh means that the GPO "runs" completing all of the items in the object. For example, let's say you have a key that removes the sign out button in the start menu. Normally when you login you can assume that the sign out button will not appear, but what if you manually added the button using regedit? Would the button reappear next time the computer reboots? It depends on how the GPO is configured. When you add a new 'Registry Item' you have to select one of four actions: Create, Replace, Update, and Delete. If you want to learn more about these here is a good article. For brevity, I will say you would most likely want to use 'Replace' as it will replace the key with whatever was in the GPO and will create it if it doesn't exist.

Note that GPOs are refreshed but do not necessarily take effect immediately. Certain GPOs require a restart, logout/login, or closing and reopening a program.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

The program is not changing this registry entry. This specific registry entry sets some management settings for the program, which normal users cannot alter. Previously, there were only a few computers that used the program and the settings were set manually by admin. The problem was that Windows10 deleted the settings after every single update. Now the program is deployed in the network and many computers use it. So, I set the settings using GPO. Because of this known bug, where Windows10 deletes the settings after update, I want both to set and protect these registry keys from any tampering
@btzom So currently you have the GPO setting a registry key, but it changes when the computer is updated? If that's the case, can you tell me what the permissions are for the key in regedit?
Previously, the settings were manually set by admin. Now I have GPO to set the keys. What I am asking is whether GPO with action Replace registry key will replace it on every computer reboot, even if Windows10 updates and deletes the key.
I havent cheched the permissions of this specific key. Will check them and then will report.
Yes the 'Replace' action will replace it on every reboot. If it does not then something else is running that changes the key (like an old startup script or an interfering GPO). Windows updates may change it, but GPOs will always override those updates (sometimes it takes a reboot before it overrides).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.