Having software consistently deployed across the fleet of computers is one of the key points that can be automated.
If I have a choice (and it makes sense), I will always choose GPO over any other solution because it’s embedded into Active Directory thus not requiring installation, learning and maintenance of additional management tool.
MSI – Software Installation
One of the main advantages of MSI installers is that in 99% of cases you can just use the “Software Installation” option in GPO, and GPO will take care of the silent installation. In addition, if the newer version of the installer is ever listed, you can simply link the newer version of the installer, and GPO will take care of upgrading current installations.
The rule is, if the installer doesn’t have any mandatory custom made parameters, it will silently push the software.
How to find out if the MSI can be silently installed with GPO
We are going to use the MsiExec (Windows Installer) tool, my installer file is called: GoogleChromeStandaloneEnterprise64.msi
If after issuing that command you can see your piece of software has been installed, it’s good to go with GPO.
Set up GPO
To make the GPO working, we need to put an installer file on some network share, and since it’s going to be computers accessing the file, the computer must have read access – not the user – to the file. The easiest way to achieve this is to use NETLOGON folder.
Sometimes the software installer requires providing custom switches, and the only way to achieve the installation is to use a custom script. Thankfully in GPO, we have an option of startup/shutdown scripts – that the script will execute every time the computers boots/shuts down.
On the side note, I’ll add that you can schedule a task via GPO that will kick in the script on a regular basis, or every boot – in case you’d need that. I had once a need to deploy the management client that tended to stop its services with no apparent reason, making management of computers that were out in the field a daunting task. Got it solved by having the installer and script copied to the local machine and a scheduled task that was executing script once per hour. The problem of unmanaged computers has gone.
The problem with that kind of installers is the fact they often don’t advertise what switches are required, making it much more difficult. Thus at this stage, you might be forced to either check the developer’s website/manual or even contact them if the silent installation is supported. You can also have a look in the section of tips below which might point you to the solution.
Let’s take as an example the installer for Airtame – it’s MSI based, however, requires special switches for silent installation. Likely enough, the software vendor has provided the manual and switches required:
In the Startup Properties click “Show Files…” and create a new text file there, changing its extension to BAT (what I have set up on all my machines, is to show file extensions – this way I can change file extensions as a file name change), open it and paste the script below:
Coming back to “Startup Properties” window, click “Add” this time, and if you can’t see your script, paste the path to the window – now you can point to the script file you’ve just created.
Go to your test machine, run “gpupdate /force” from the shell and reboot your machine – validate the software got installed.
Helpful websites
https://chocolatey.org/search – Chocolatey is a powerful package manager based on PowerShell. You can discover switches by reviewing their ps1 files, available on the website. It’s also a great product for installing and maintaining your application – have a look and you’ll forget what it’s like to Google for software installer and updating applications one by one.