Ferry / Trick: Updating packages which use group policy extensions

Created Wed, 13 Dec 2017 14:00:28 +0200

I recently was involved in an assignment which involved upgrading Immidio Flex+ to VMware UEM. This upgrade is fairly simple, but can be pretty annoying for end-users, where an upgrade may impact their user experience.

First of all, I will try to explain what group policy extensions are and what they do. Group Policy extensions are extension (well duh) of the standard Microsoft Group Policy objects. They rely on the group policy service, have their own .adm(x) templates and are processed by the group policy engine.

“GPO Extensions”

When upgrading Flex+ to UEM the following (and possibly more) might not work anymore, if the computer does not get rebooted after the installation of UEM:

Not having drive mappings
Not having application shortcuts

We ran the update to VMware UEM on FAT-clients with SCCM, when experiencing problems the servicedesk had users reboot their PC and everything would be fine afterwards. But we had to run the update on several RDSH servers as well. As you might suspect, the RDSH servers could not be rebooted when users were starting to notice that drive mappings where not there or application shortcuts where not there. So I had to figure something out without impacting users on the RDSH servers.

I wanted a solution that would not need a reboot and could be executed fairly simple. Because it were the group policy extensions that were not working, I wanted to restart the group policy service.

Since the Group Policy Service is a service that is protected by system, I needed to figure something out.

What I did was create a new package on SCCM, containing PSexec (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) and created a script that did this:

run psexec -I -s net stop gpsvc
run psexec -I -s net start gpsvc

After running those commands users logging on to the machine where getting their shortcuts and drive mappings again.

In conclusion, if you need to update a system with active users, or updating something that uses group policy extension, a restart of the group policy service after installing will prevent impact on end-users and removes the need to reboot a machine