We have at our domain a WSUS server and set the configuration for this service with a domain group policy. In the moment we begin to implement the update service with SCCM 2007 R2 Sp2. This system has an internet facing server. The actual state is, that all clients has to use the standard WSUS server and not SCCM for updates. This does work fine on all clients insite the LAN. On these domain member computer (all with Windows 7 RTM, SP1, x86 / x64) does the domain group policy override the local, from the SCCM client generated, group policy. This is the estimated result. The problem begins, when the domain member computer is not connected to the LAN and has no connection to a domain controller. In case of this, the local group policy is applied to update service and not the domain policy setting. At the technical description for group policies is written " The last domain group policy state is cached and will applied to the computer". Why does Windows 7 apply the local group policy setting and not the domain group policy setting? Both group policies have the same settings, but only diffrent values set. What must I do to prevent this or where is the problem located?

Hi, For computers joined to a domain, domain administrators can disable processing Local Group Policy objects on clients running Windows 7 by enabling the "Turn off Local Group Policy objects processing" policy setting in a domain Group Policy object. You can find this setting in: Computer Configuration\Administrative Templates\System\Group Policy Try to enable this setting for a test. Alex Zhao TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Alex Zhao TechNet Community Support

Hallo, I have applied the GPO with the setting. The result was the same. I have read all relevant log files from the SCCM and the WindowsUpdate.log. There was two enties, Modify Update location and inform update service about new policy. After this enties waas written to the SCCM log, I have seen, that the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - WuServer was modified to the SCCM update server. A query about the applied GPOs with GPRESULT displays for the WuServer the entry from the domain GPO and not from the SCCM. I guess that the client has directly modified the registry key. I have now disabled the SCCM client on the computer, and have done a reboot of the computer (Three times). But after all reboot, the cached domain GPO has not repaired the registry value for WuServer. Now I was curious and have changed other domain group policy values in the registry. Firewall: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules After a reboot, the modified entries accepted as a valid policy!!!. Windows has not detected the change and has not repaired the entries. The values were corrected only after the machine has had a domain controller connection.

Group policy is marked as successfull and won't re-apply unless the GPO version changes. that's why you needed the connection to the domain controller. You can try following setting if you want to enforce that Computer Configuration\Administrative Templates\System\Group Policy\Security Policy Processing Inside this policy, you will check the box labeled Process even if the Group Policy objects have not changed. http://www.windowsecurity.com/articles/enforcing-gpo-security-settings.html

Hi, I am just writing to check the status of this thread. Was the information provided in previous reply helpful to you? Do you have any further questions or concerns? Please feel free to let us know. Regards, Alex Zhao TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Alex Zhao TechNet Community Support

Hallo, I have modified the group policy, but the result is the same. The settings can be changed and the gpo will reset the settings back to the gpo definition. Not while the computer is in normal work, and not when I do a reboot. To solve the importent problem, i have disabled the SCCM update deplyment over the internet facing server. This does not solve the problem, that the gpo will not be applied, if the computer is not connected to the domain network, but for the moment I have solved the problem with the SCCM updates. The problem is persistent.

Hi, It is a normal behavior that the local group policy settings override the domain group policy settings when the domain member computer is not connected to the corp network. To prevent this, please try to disable local group policy processing by modifying/adding the folloiwng registry value: key: HKLM\Software\Policies\Microsoft\Windows\System\DisableLGPOProcessing Value: 1 Please try my suggestion and let me know the result. Thanks. Denny Zhou Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How are things going on your end? Was the suggestion i provided helpful to you? If there is anything i can do for you, please let me know. Thanks. Best regards, Denny ZhouPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I have done a work around to solve the actual issue with the SCCM controled patch management. 'DisableLGPOProcessing' will not work, because SCCM direct overwrites the GPO setting at the registry. It remains open only the question: Why does Windows 7 not apply the cached GPO settings when the computer has no contact with the domain controller. The most users have local administrator rights, therefore the GPO settings should be unchangeable, if the user is outside the LAN.