Most GPO settings are either enforced/user can't change the setting/ or applied only one time /software install/. My question is - if I set a specific registry key using a GPO and the registry key is changed, will the GPO overwrite the registry key with the one set in GPO? We run a specific software, which sets several registry keys in HKLM\Software. We never had any troubles with computers running Windows7, Vista or etc. The problem is that Windows10 for some reason deletes one of these keys every time when it updates. I am asking specifically about registry settings, applied to computers in Active Directory via GPO. Because if the Computer GPO will not override the settings on reboot after they are deleted by Windows10, I would be forced to deploy startup script instead, which will use REG QUERY to check if the key exists and then if it exists - REG DELETE and REG ADD. And if the key does not exist at all - REG ADD to add the key. I want to protect specific registry settings, which Windows10 continues to delete on every update.
-
How are you setting the registry key using GPO? – Quetza Mar 19 '21 at 15:58
-
@Quetza GPO-> Preferences->WindowsSettings->Registry and then Item with action Replace – btzom Mar 19 '21 at 16:37
-
GPO will apply the registry keys when the GPO is next applied, regardless of any changes that were made since it was last applied. This is usually when a user logs on, but can be forced to trigger periodically or by running `gpupdate /force` – Quetza Mar 19 '21 at 16:47
-
Thank you. This is what I really wanted. You don't know how annoying is to set the same settings every time Windows10 updates. I want this key not to change, unless I say so. – btzom Mar 19 '21 at 20:52
-
You could just set permissions to deny "delete" for everyone ... – bjoster Apr 01 '21 at 06:19
1 Answers
The problem is that Windows10 for some reason deletes one of these keys every time when it updates.
GPO-> Preferences->WindowsSettings->Registry and then Item with action Replace
You're using a Group Policy Preference registry item, which is different from a GPO registry setting. This preference item will NOT prevent local manipulation of the key.
Also - you appear to be concerned about the key being deleted before update. You have selected the REPLACE method; it is doing precisely what you have asked it to do. REPLACE will remove the existing entry and write a new one (even if it is the same). the REPLACE method is not idempotent, it will always result in a change. I believe you are looking for UPDATE which will update the value if its not correct.
- 1,775
- 8
- 7
-
I am more concerned about update deleting the key than key being modified. Because all I have to do is to ask the user to reboot the machine and the key is back on it's place. If Windows Update deletes the key, then messing with registry permissions could potentially lead to inability of Windows Update to successfully complete. So, I prefer just to reinsert the same key with the same value. – btzom Mar 19 '21 at 20:42
-
Also, I think that setting literally 3 registry keys will not increase the boot time significantly. So, I am fine with this workaround that will save us much time and inconvenience. I also have 3 desktop icons with action replace. So even if the user deletes them or renames them and then complains about missing icons, reboot and they are back where they should be. – btzom Mar 19 '21 at 20:56