Well first they should do it around 90 minutes max on their own. You could push a psexec gpupdate against a text file list of the boxes. Or via powershell:
https://blogs.technet.microsoft.com/heyscriptingguy/2012/11/12/force-a-domain-wide-update-of-group-policy-with-powershell/ And I will also add servers are not the most important thing to target with this mitigation. It is the desktops, they are the ones that are clicking on stuff. They will get infected and be used to hit your servers. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael Leone Sent: Wednesday, June 28, 2017 10:11 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] Using GPP to fight Petya OK, so I've made that change in the GPO, and it creates the file appropriately. So how do I force all my servers to refresh their GPOs, without going to each and doing a "gpupdate /force"? When they automatically check in the next time, this policy should be applied. But how to make that happen NOW, rather than within the next 24 hours (or whatever)? On Wed, Jun 28, 2017 at 9:23 AM, Kennedy, Jim <kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote: I will ground my son who wrote that. It should be ‘replace’. That will create it or replace it. Now, why you are not seeing it in gpresult I dunno. You ran the gpresult as a local admin? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Michael Leone Sent: Wednesday, June 28, 2017 9:13 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] Using GPP to fight Petya So I'm confused. Looking at this page: https://www.binarydefense.com/petya-ransomware-without-fluff/ Shows using GPP to create a file "c:\windows\perfc.dat". Apparently, if this file exists, the malware stops (yes, I know that there will be a variant Real Soon Now that avoids this). So I made this change: Computer\Preferences\Windows Settings\Files And followed the web page ("update", copy windowsupdate.log to c:\windows\perfc.dat", make it read-only. Did all this on a testing GPO I keep around for this purpose. Doing Group Policy Modeling Wizard, I see this being applied as a setting to my test VM. Yet when I go an look in c:\windows, I don't see the file.Nor do I see that setting in "gpresult /r /v". What have I done wrong?
