How to deploy Software using Group Policy



Originally this was just going to be a post showing you how to deploy the Windows InTune client to a computer using Group Policy however it turned out I think this article would be best suited to show you how to use some advanced techniques to deploy software via Group Policy. So even if you don’t want to specifically  deploy the InTune software client to your computers this article will still serve you as a good reference for Group Policy software deployment in general….

Tip #1: DONT! If at all possible do not deploy software this way… Group Policy software deployment has a number of restrictions that makes this one of the less desirable methods of software deployment. Some of the reasons why I would not recommend this deployment method are:

  1. Lack or scheduling. When you deploy software to a computer using Group Policy it will only ever install/un-install on the next reboot of the computer. This makes it very difficult to schedule rollouts especially when deploying large software updates that would put immense load on the LAN when deploying to all the computers first thing in the morning when they are all turned on at the same time. Using something like SCCM is much better with it options for maintenance windows and Wake On LAN options…
  2. MSI and ZAP Installer Only. The only supported applications formats are the more popular MSI installer and the lesser known ZAP package format. This is somewhat restrictive and again software deployment tools like SCCM are vasty superior as they support any sort of installation method.
  3. Fixed Application Install Order. When you add application to the Group Policy Object they install onto the computer in the same order with no way of changing this order.
  4. Nill Visibility. When you go to deploy software using Group Policy the configuration it pushed to the computers but there is never any feedback on weather the software has successfully installed. This lack of visibility could mean you think you have deployed something to all your computers successfully but in reality it has failed to install on many of the computers.
  5. Poor Scoping. When you deploy software using Group Policy you can only specify a UNC path as the location to install the software from. If you have specified a single server in head office this would mean that all the workstation at remote sites will try and download and install over the WAN… Not good. I will make a few recommendation further on as to how to mitigate this however other deployment software tools (again like SCCM) handle this much more automatically which can reduce you admin overhead.

Now that I have sufficiently warned you about Group Policy Software Deployment I would also say there is one exception to this rule where and that is Agent software Deployment. Weather it is SCCM Agent or InTune or even a Anit-Virus software package GP Software deployment is good at deploying the same software package to a large number of computers.

And speaking of services that require agents…

Windows InTune is a new services that is offered by Microsoft that allows IT administrators to manage and monitor computers via a web based console. This service has been often referred to as SCCM in the cloud as it allows you to manage many workstations without the need for any server infrastructure.

For more information on Windows InTune visit http://www.windowsintune.com/

While there is no software to install on servers for the InTune to work it does require you deploy a management client to your workstations. This client software can be either installed manually but when you have 10+ computer in your organisation this can quickly become a management nightmare so Microsoft also provides a way to deploy the InTune client via Group Policy.

Configuring the application install files for Group Policy Deployment

Step 1: Go to Windows Intune website and download the InTune Client software.

Step 2: Right click on “Windows_Intune_Setup.zip” and select the “Extract All” option

Step 3: Extract the contents of the “Windows_Intune_Setup.exe” to the current folder by opening up a command prompt and  running “Windows_Intune_Setup.exe /extract .”.

image

Step 4: Copy the all the files (see below) to the software distribution file share in your organisation .

  • Windows_Intune_Setup.exe
  • Windows_Intune_X64.msi
  • Windows_Intune_X86.msi
  • WindowsIntune.accountcert

You have now setup the installation files for the InTune client (or other software) ready to be deployed in your organisation.

Tip #2: This location needs to have read permission for the “Domain Computers” group applied so that the computer can download and install the files.



19 Comments

  1. [email protected]: Best Practice: How to deploy Software using Group Policy – http://t.co/5r0oyVF – Advanced deploy” ~ Tip 1 is so true!

  2. RT @KBaggerman: [email protected]: Best Practice: How to deploy Software using Group Policy – http://t.co/5r0oyVF – Advanced deploy” ~ Tip 1 is so true!

  3. Alan- The order in which packages install is actually the order in which they appear within the GPC portion of the GPO. So its not the order in which you add them, necessarily. There’s an app floating around out there that lets you re-order them by mucking with the class store objects in AD.

    Darren

  4. I would also add that you should never use an absolute path (i.e. a UNC path to a specific server), always use a DFS path instead. That way you don’t need to remove and re-add the software (or hack the path to the MSI)

  5. Pingback: Configuring a Software Library for Group Policy Software Deployment

  6. 5. Poor Scoping. When you deploy software using Group Policy you can only specify a UNC path as the location to install the software from. If you have specified a single server in head office this would mean that all the workstation at remote sites will try and download and install over the WAN… Not good. I will make a few recommendation further on as to how to mitigate this…

    I didn’t see your recommendations, so here is mine:

    Use shared domain-based DFS roots / namespaces to sync installation sources to remote site servers. If your sites are configured properly, clients will point to the local DFS share for setup files…

  7. If you want an alternative to group policy, you should look into http://www.fasttrackscript.com. I was looking for a cheap alternative and ended up using Fasttrack. It allows you to deploy software to all clients your clients and is very easy to use that and does not require any programming experience. It also has a great step-by-step screenshot guide if you’re in doubt.

Leave a Reply

Your email address will not be published.