BACK

Software Deployment via GPO:

This section all about application deployment. For OS patches reference SUS or WUS or WSUS or SMS.

AD GPOs can be used to deploy software. The four phases of software deployment are: preparation, deployment, maintenance, and removal.

Preparation for Software Deployment via GPO

Windows Installer Service

• Runs on XP, 2003, 2000
• automates software installation
• has auto-software repair / application resilience features
• can install some parts of an application, and set other parts to install on use
• partial installs can be rolled back cleanly
• cleans up files and registry entries on un-install - leaves shared files appropriately
• Windows installer package contains external files for the install and the .msi file
• Can create Windows installer packages with Veritas WinINSTALL

.msi

• when installed from a GPO, .msi files run as local system (by default)
• when installed by a user, .msi files run under that user's security context
• .msi file contains a list of all files, file locations, registry changes, version numbers, etc.

.zap

• If no .msi files use this as a secondary option
• text file
• can be published; can NOT be assigned
• does not run as the local system (like .msi files do from GPOs)
• KB 231747

Distribution Point

• Create a stable distribution point for the GPOs to reference
• DFS allows automated load balancing and targets to use a fileshare in their own site
• If no DFS use a single share
• Within the distro point create folders for each app
• Setting up the distro point as a hidden share is a bonus
• Optionally set up auditing on the share to track installs

Installation Scope

• You will create a GPO object to deploy an .msi - what OU(s) will this GPO link to
• Link the .msi GPO with a no override setting to install regaurdless of block inheritance settings
• A test group would get their own OU
• Each functional group of users or computers could be grouped by OU

Deployment of Software Deployment via GPO

Document invocation

• The action of opening a file of a type assisited with an application installs that application
• The Software installation Properties dialog, File Extensions tab is used to control file extention applcication preference. As this setting is GPO specific, different OUs can use the same file extention to invoke different application installs!
• While on by default, for apps published to users, the document invocation feature can be turned off

Assigning Applications

• Assigned to users:
  • Visable to assigned users in their Start menu
  • Actually installed on first use -or- by document invocation
  • While not visable (in the Start menu) to users to whom the app is not assigned, they can still browse the program files folder and use it - use NTFS permission via the .msi to stop this
  • Once installed, if removed will reinstall itself the next time an assigned user logs on
• Assigned to computers:
  • Visable to all users of the computer
  • Actually installed on first use -or- by document invocation
  • Once installed, if removed will reinstall itself the next time the machine boots up
  • Ex: Assign an app to computer and link at the domain level - all machines will have this app installed

Publishing Applications

• Can NOT publish to computers
• Publish to users
• Applicaiton avail in the control panel add/remove programs
• Also installed by document invocation
• No Start menu "placeholders" like with assignment
• Once installed, if removed will NOT reinstall itself
• Ex: Publish app to users in the marketing dept (link to marketing OU) allowing them to install this app if the choose to

Use WMI filters with the GPO link to filter application installation by hardware - free drive space, chipspeed, etc.

Transform File - .mst

• Allows customization of .msi
• Use a wizard to create .mst
• Deploy .mst with .msi by using the advanced option in the deploy software wizard - order with care - can not modify later

Software catagories

• Set software catagories one for use across the domain in all GPOs
• Creates additional folders in the control panel add/remove programs for ease of finding apps to install

Uninstall this Applicaiton when it falls out of the scope of management

• Off by default
• When the GPO that applies the app install no longer applies - the app is un-installed!
  • User moves out of OU
  • Computer moves out of OU
  • GPO link is removed from OU
• Not available to .zap installed apps

Do not display app in add/remove

• Off by default
• Applicable to assigned or published to users only

Install App at logon

• Off by default
• Applicable only to assignment to users
• Installs the app, instead of the default of just advertising it
• Good for laptop users

Installation Inferface

• Basic - default - only prompts for required info not pre-configured in .msi
• Max - allows use to customize install
• Not avail for .zap

Maintenance of Software Deployed via GPO by way of GPO

• updates
• service packs
• new versions
• run old and new version at the same time
• Not avail for .zap

Manditory Upgrade

• old pageage removed - new package installed
• If no old package, just new package installed
• Check the "required upgrade for existing packages" box

Optional Upgrade

• Do NOT check the "required upgrade for existing packages" box
• users with old app can upgrade via add/remove
• users without old app can install upgraded app from add/remove

Redeployment

• deploy .msp (Windows Installer Patch) or new .msi in the distro share
• right-click the original GPO and choose all tasks / redeploy

Removal of Software Deployed via GPO by way of GPO

Does not apply to .zap

Forced Removal

• Removed target app at next boot or logon, whichever is appropriate to the GPO
• "Immediatetly unistall the software from users and computers"

Optional Removal

• If not already there, can't install it
• Once removed can't get it back
• "Allow users to continue to use the software, but prevent new installations"

Tools

Windows installer logs to the application log

msiexec

msizap

BACK