We have a custom GPO that sets a few values in the registry. The settings work great, and the GPO applies it as we need it.

Where I am having a problem is re-applying this policy if the registry settings change (either by the user or by some other means - see the next sentence). Twice in the past 2-3 months after applying monthly Windows Security Patches, these registry keys have been reset by one of the patches we have deployed.

If you manually do a "gpupdate /force" the computers will reapply the GPO and set this registry key back how we want it... however on a normal refresh cycle, or even during a reboot this will not happen. From what I've found it won't reapply because there hasn't been a change to the policy (or the version number of the policy) so the computer thinks it has the up to date version already.

This brings me to the following location in Group Policy:

Computer Configuration > Policies > Administrative Templates > System > Group Policy > named Security policy processing > "Process even if the Group Policy objects have not changed"

It seems that enabling this would fix the problem I'm having, but I'm concerned that enabling it is an "all or none" proposition. If enabling this cannot be done "per policy", then it would add an unacceptable overhead to our workstations.

SO... I have a few questions:

#1. Is this all or none? Can I set it within the specific GPO and have it only apply to this policy? Or, is this something that I need to set at the root and it therefore would affect all policies?

#2. Is there a better way to do what I'm needing to without causing overhead of reapplying every policy on the workstations at every refresh cycle?

Any help or perspective would be greatly appreciated.

Thanks,
Irish