How to use GPUpdate /Force Command to update your Group Policies

The command gpupdate /force is used to force the update of group policies that are applied by your company. Changes made in the Group Policy are not applied immediately but after 90 mins by default (with a ~30 min offset to spread the load). By using the GPUpdate command we can force the update.

Group Policies are used to change security settings and for system management (like deploying printers or mapping network drives). For troubleshooting IT problems, it’s sometimes necessary to update the group policy manually.

How force group policy update

GPUpdate vs GPUpdate Force command

The gpupdate /force command is probably the most used group policy update command. When you use the /force switch, all the policy settings are reapplied. For most use cases this is perfectly fine, but keep in mind, when you have a lot of group policies objects (GPO) or in a large environment, using the /force will put a huge load on the domain controllers.

If you have a large tenant or a lot of GPO’s, then it’s better to only run gpupdate without the /force switch to apply new policy settings. This will get only the changes or new group policies, reducing the load on the client and domain controllers.

# Reapply all policies
gpupdate /force

# Get only the changed / new group policies
gpupdate

Update only user or computer group policies

If you have a large environment or need to update the group policies on a lot of computers at the same time, then it can be useful to only update what is needed. This will reduce the load on the domain controllers and it’s of course faster.

To do this you can use the /target switch. This allows you to update only the user or computer GPO’s.

# Update only the user policies
gpupdate /target:user

# Update only the computer policies
gpupdate /target:computer

Automatically reboot or logoff after GPUpdate

Not all policy changes are applied immidiately. Due to Fast Boot, for example, are some settings only applied when the users logs in on the computer. Some settings even require a reboot to be applied.

With the use of the /logoff or /boot switch, we can let gpupdate figure out if a logoff or reboot is necessary. To be clear, if you run gpupdate /boot, then the computer will only reboot if a policy change requires it. Otherwise, the policy will be applied immediately without the reboot.

• GPUpdate /logoff is needed for example after policy changes in the Active Directory like folder redirections or printers. Changes in the AD are only applied when the user logs in on the computer.
• GPUpdate /boot is for example needed when you create Software Distribution changes.

Run GPUpdate on a Remote Computer

Sometimes you may need to update quickly the group policies on multiple computers because you changed the internet proxy settings or maybe to replace a printer for example. There are couple of ways to run GPUpdate on a remote computer

Using the Group Policy Management Console

You can initiate a group policy update on a whole OU with the Group Policy Management Console. It has to be an OU with only computer objects in it, so you can’t use the method on a user OU. Simply right-click on the OU where you have changed a policy and click on Group Policy Update

This will update the user and computer policies on all the computers in the given organization unit. The nice thing is that it will as for confirmation and show you how many computers are going to be updated.

After you have confirmed the update the policies will be updated and you can see the status of each computer. In this example 5 computers where turned off, so the update failed.

Use PowerShell to run GPUpdate on a Remote Computer

We can also use PowerShell to run gpupdate on remote computers. The only requirement is that you have Windows 2012 or later. Running it from Windows 10 is also possible, but then you need to open the PowerShell windows with a domain admin account.

The basis of the command is the Invoke-GPUpdate cmd. We also need to specify the computer and the RansomDelayInMinutes.

The RandomDelayInMinutes is used to lower the network load when you update a lot of computers at the same time. You can set it between 0 and 44640 minutes (31 days). Use 0 to run the update immediately.

Invoke-GPUpdate -Computer "labrat01" -RandomDelayInMinutes 0 -Force

If a user is logged on at the computer, then the Invoke-GPupdate command will ask the user for confirmation. By using the -force switch we can run the updates without the confirmation.

With this, we can create a small script to target all computers in a specific OU and run GPupdate on them.

# Spread the load by setting the delay to between 1 and 30 minutes
$random = Get-Random -Minimum 1 -Maximum 30

# Get the computers in an OU to update and run GPUpdate
Get-AdComputer -SearchBase "OU=Computers,OU=Lab,DC=lazyadmin,DC=com" -Filter * | ForEach-Object -Proces {Invoke-GPUpdate -Computer $_.Name -RandomDelayInMinutes $random -Force}

Or if you want to use a list of computers:

# Based on a list
$computers = "labpc01,labpc02,labpc03"
$computers | ForEach-Object -Proces {Invoke-GPUpdate -Computer $_ -RandomDelayInMinutes $random -Force}

Wrapping Up

I hope this article helped you with the GPUpdate /force command. If you have any questions, then just drop a comment below.