Deploying software with GPO

Having software consistently deployed across the fleet of computers is one of the key points that can be automated.

If I have a choice (and it makes sense), I will always choose GPO over any other solution because it’s embedded into Active Directory thus not requiring installation, learning and maintenance of additional management tool.

MSI – Software Installation

One of the main advantages of MSI installers is that in 99% of cases you can just use the “Software Installation” option in GPO, and GPO will take care of the silent installation. In addition, if the newer version of the installer is ever listed, you can simply link the newer version of the installer, and GPO will take care of upgrading current installations.

The rule is, if the installer doesn’t have any mandatory custom made parameters, it will silently push the software.

How to find out if the MSI can be silently installed with GPO

We are going to use the MsiExec (Windows Installer) tool, my installer file is called: GoogleChromeStandaloneEnterprise64.msi

And command line syntax is:

Msiexec /i <> /quiet

Thus making my command to look like this:

msiexec /i GoogleChromeStandaloneEnterprise64.msi /quiet

If after issuing that command you can see your piece of software has been installed, it’s good to go with GPO.

Set up GPO

To make the GPO working, we need to put an installer file on some network share, and since it’s going to be computers accessing the file, the computer must have read access – not the user – to the file. The easiest way to achieve this is to use NETLOGON folder.

You access it via \\<<DomainNAme>>\NETLOGON

If you’re not sure what your domain name is, simply open Group Policy manager and it will be listed there:

So I’m going to copy the installer file to my NETLOGON folder:

\\company.pri\NETLOGON

And create a new GPO:

To create a GPO for the installer:

After opening the Group Policy Management, right-click on the root/or OU and choose to create a new GPO and link it.

Give it an appropriate name and then expand settings:

Computer > Policies > Software Settings > Software Installation. Then right-click > New > Package.

Point it to your installer file – critical is you must point via network share; thus either \\DomainName\someshare or \\ComputerName\share 

Choose assign and job done.

EXE and Non-standard MSI files

Sometimes the software installer requires providing custom switches, and the only way to achieve the installation is to use a custom script. Thankfully in GPO, we have an option of startup/shutdown scripts – that the script will execute every time the computers boots/shuts down.

On the side note, I’ll add that you can schedule a task via GPO that will kick in the script on a regular basis, or every boot – in case you’d need that. I had once a need to deploy the management client that tended to stop its services with no apparent reason, making management of computers that were out in the field a daunting task. Got it solved by having the installer and script copied to the local machine and a scheduled task that was executing script once per hour. The problem of unmanaged computers has gone.

The problem with that kind of installers is the fact they often don’t advertise what switches are required, making it much more difficult. Thus at this stage, you might be forced to either check the developer’s website/manual or even contact them if the silent installation is supported. You can also have a look in the section of tips below which might point you to the solution.

Let’s take as an example the installer for Airtame – it’s MSI based, however, requires special switches for silent installation. Likely enough, the software vendor has provided the manual and switches required:

https://help.airtame.com/en/articles/2543555-how-to-deploy-the-airtame-app-via-msi

The fastest way to validate the script, without writing the script, is to run in the shell.

You can open the shell by pressing and holding SHIFT key, then right-click in the windows and choose “Open Windows shell here”

msiexec /i "airtame-application-3.5.1-setup.msi" /quiet
WRAPPED_ARGUMENTS="/autostart=false /streaming_notification=true"

Once I’ve validated it’s been installed, time to create a script.

GPO with the Startup script

I’ve put the installer to the NETLOGON as a previous installer.

Create a new GPO and configure it as follows:

Expand Computer Configuration > Policies > Windows Settings > Scripts > Startup

In the Startup Properties click “Show Files…” and create a new text file there, changing its extension to BAT (what I have set up on all my machines, is to show file extensions – this way I can change file extensions as a file name change), open it and paste the script below:

pushd //company.pri/NETLOGON
msiexec /i "Airtame-3.5.1-setup.msi" /quiet WRAPPED_ARGUMENTS="/autostart=false /streaming_notification=true"
Popd

First-line changes to the working directory to the folder where installation file is

The second line is the same command with testes moment ago

The last line will return the path the original location – not really needed, but it’s nice to have it.

Save the file.

Before closing the Startup explorer window, copy the path (it’s ridiculously long) in my example:

\\company.pri\SysVol\company.pri\Policies\{299CE059-AD3B-4F12-9DC3-3AC9EB36124E}\Machine\Scripts\Startup

Coming back to “Startup Properties” window, click “Add” this time, and if you can’t see your script, paste the path to the window – now you can point to the script file you’ve just created.

Go to your test machine, run “gpupdate /force” from the shell and reboot your machine – validate the software got installed.

Helpful websites

https://chocolatey.org/search – Chocolatey is a powerful package manager based on PowerShell. You can discover switches by reviewing their ps1 files, available on the website. It’s also a great product for installing and maintaining your application – have a look and you’ll forget what it’s like to Google for software installer and updating applications one by one.

https://www.manageengine.com/products/desktop-central/software-installation/latest-software.html – Another great tool, this one is being used for managing computers. On the link above, you can discover how they push particular pieces of software.

https://www.itninja.com/ – a great website for IT Professionals, and in context of this post, has a lot of how-tos on deploying software.

Photo byย Ferdinand Stรถhrย onย Unsplash