Understanding Group Policy Caching in Windows 8.1
The other day I tweeted about an article posted on the Microsoft TechNet site, that gave a brief overview of the new Group Policy features coming in Windows 8.1 and Windows Server 2012, R2. One of the items mentioned in the article, albeit briefly, was a new “Group Policy Caching” feature. I wanted to spend some time talking about this feature because it’s important to understand what it will and won’t do for you with respect to policy processing. What’s funny about this feature is that I’ve spent years, writing and speaking on Group Policy and especially Group Policy internals, and in many of my talks I go out of the way to say that GPOs are not really “cached” on a Windows system, when they are processed. I guess I’ll have to change that part of my talk .
Ok, let’s dive into this caching feature. So, the first thing to know about this feature, is that it’s strictly about improving GP processing performance under certain circumstances. It DOES NOT work to apply Group Policy when a machine is off the network or not in contact with a domain controller. Under those scenarios, policy will still not process. What this caching feature does, however, is reduce the time it takes to process policy when a synchronous foreground processing cycle is detected. Remember that synchronous foreground processing cycles happen during computer startup and user logon, when certain conditions apply. One of those conditions is that something has changed in a GPO that contains one of 4 Client Side Extensions (CSEs)– Software Installation, Folder Redirection, Microsoft Disk Quota and GP Preferences Drive Mappings. If a GPO with one of these extensions in it has changed, then the GP engine tells Windows that the next foreground processing cycle will be synchronous. The other condition that causes synchronous processing to occur, is when you’ve enabled the policy at Computer Configuration\Policies\Administrative Templates\System\Logon\Always wait for the network at computer startup and user logon. This policy forces all foreground processing cycles to be synchronous, all the time. Interestingly, another change in Windows 8.1 is that Microsoft has removed Microsoft Disk Quota and GP Preferences Drive Mappings from the list of CSEs that require a synchronous foreground cycle to process, so we’ll no longer have to worry about those when running 8.1!
So, here’s how caching works:
1. Each time policy is processed asynchronously (in the background), policies settings are copied from the local domain controller, to a location on the file system of the client under c:\windows\system32\GroupPolicy\Datastore, as shown below:
2. If the GP engine detects that it is running in a foreground, synchronous update (in other words, the computer is starting up or the user is logging in and the synchronous flag has been set in Windows) then instead of going to the domain controller to get the GPOs that apply, it reads them from the local datastore described in #1 above, instead of copying it from the domain controller. You can see evidence of that within the Event Viewer’s Group Policy Operational Log, as shown here:
That’s pretty much it. Again, this is meant to be a time saving thing that occurs ONLY when synchronous processing is in play. It does not help speed processing over slow links or when the computer is not on the network. But, if you are in a synchronous situation and your domain controller is across a relatively slow VPN or DirectAcess link, and you have lots of GPOs to process, the time savings, and thus the user experience improvement at logon or startup, can be significant.
The one interesting side-effect of this feature is the following. If a synchronous processing cycle is detected, thus triggering caching, but there has been a change to one of the GPOs that is being processed, that change will not be picked up during the synchronous cycle. In other words, there is no way to invalidate the cache during a synchronous processing cycle–it takes an asynchronous processing cycle (e.g. issuing a gpupdate command) to update the cache with the latest and greatest policy settings. This is something to be aware of because I’m sure it will cause much frustration down the line when folks start implementing Windows 8.1.
If you don’t like the idea of using this feature, Microsoft has given you a policy setting to disable it. The setting is under Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Group Policy Caching. If you disable this setting, then the caching feature is no longer used during GP processing.
PS. After reading this, my good friend and fellow Group Policy MVP, Jeremy Moskowitz, reminded me about the cool policy caching capabilities already available in his PolicyPak product:
“If you DO want Group Policy to process, even when offline, consider checking out PolicyPak and here’s a link to the demo of the offline reinforcement feature. http://www.policypak.com/videos/sspdtvrd7by“