Posts tagged ‘Group Policy’
Group Policy App for Windows Phone
I am very pleased to announce that my Group Policy App for Windows Phone is now on the Windows Phone Marketplace. This app pulls in all the RSS feeds from this site and many other Group Policy related web sites. It is also uses twitter to show you all the tweets with the #grouppolicy tag and the all the tweets from the official Group Policy Team twitter account @gpteam.
Best of all this app is FREE!!!
In case you were wondering who those guys are in the background of the app check out the Meet the Group Policy People article.
Now I have to admit that I am not a developer but this is my first attempt at making a Windows Phone application and it has been pretty easy. But if there are any issues with the application please use the Feedback button (under About) to email me directly or if you have any feature suggestions. I also have to give a lot of credit has to go to David Glover who wrote the Social Viewer application template which this app is based on that can be found at http://socialviewer.codeplex.com .
Note: There is an update coming some time next week that will enable Facebook support and enable add support (got to pay the bills).
Download link zune://navigate/?phoneappid=5c39e194-1280-e011-986b-78e7d1fa76f8 (if the link doesn’t work you can just search for “Group Policy” on the marketplace.)
TechNet: Group Policy for Beginners
Having used Group Policy almost every working day of my life it is easy to forget that sometime the basic stuff is still a challenge to get your head around. Therefore Microsoft has just released a document (and web page) that is an excellent primer for anyone just starting to use Group Policy. See links below.
Introduces Group Policy, provides an overview of what you can do with Group Policy, describes essential concepts that you must know, and provides step-by-step instructions for the most common Group Policy tasks.
HTML Version: http://technet.microsoft.com/en-us/library/hh147307(WS.10).aspx
Docx Version: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=470526da-8350-4314-a48d-ca97721855e1
Silverlight 5 Group Policy
Microsoft have just released the Silverlight 5 beta during the MIX 2011 summit in Las Vegas and one of the new features is Group Policy support. However this “Group Policy” support at the moment is more like a suggested way of configuration the program. What this really is that you can now control the running on Signed/Trusted Elevated applications from within the browser via a registry key.
For more on trusted in browser applications see http://timheuer.com/blog/archive/2011/04/13/whats-new-in-silverlight-5-a-guide.aspx#trustinbrowser
A new feature we are bringing is the ability to do some of the “trusted” features in Silverlight in the browser. This brings the current functionality of trusted applications in current form to be used in the browser context without having to be installed. This still requires the XAP to have the ElevatedPermissions security setting in the manifest as it would exist with out-of-browser applications as well as the XAP being signed (and the certificate in the user’s trusted publisher store).
Additionally the requirement would be that a registry key be set on the machine to enable this. This could be deployed via Group Policy or other desktop-management techniques.
Below I have listed this registry key and how you can use a Group Policy Preferences Registry Item to configure this setting in your organisation.
Allow Elevated Trust Apps In Browser
Key (Machine): HKLM\SOFTWARE\Microsoft\Silverlight\
Value: AllowElevatedTrustAppsInBrowser (REG_DWORD32)
Data: 0 (Disabled)
Data: 1 (Enabled)
Step 1. Edit a group policy object that targets all the computers in your organisation that you want to apply this setting.
Step 2. Navigate to “Computer Configuration > Preferences > Windows Settings” then right click on “Registry” and click on “New > Registry Item”
Step 3. Change the Action to “Replace” add the key path “SOFTWARE\Microsoft\Silverlight” type “AllowElevatedTrustAppsInBrowser” select the Value type to “REG_DWORD” and the value to “1”.
Step 4. Click on the common tab and tick “Remove this item when it is no longer applied” and add a description.
Done… the registry key should be now deployed to all your computers and they will be able to run Trusted (Signed) application in the web browser.
To see what other features are coming in Silverlight v5 go to http://www.microsoft.com/silverlight/future/
Best Practice: How to deploy Software using Group Policy
Originally this was just going to be a post showing you how to deploy the Windows InTune client to a computer using Group Policy however it turned out I think this article would be best suited to show you how to use some advanced techniques to deploy software via Group Policy. So even if you don’t want to specifically deploy the InTune software client to your computers this article will still serve you as a good reference for Group Policy software deployment in general….
Tip #1: DONT! If at all possible do not deploy software this way… Group Policy software deployment has a number of restrictions that makes this one of the less desirable methods of software deployment. Some of the reasons why I would not recommend this deployment method are:
- Lack or scheduling. When you deploy software to a computer using Group Policy it will only ever install/un-install on the next reboot of the computer. This makes it very difficult to schedule rollouts especially when deploying large software updates that would put immense load on the LAN when deploying to all the computers first thing in the morning when they are all turned on at the same time. Using something like SCCM is much better with it options for maintenance windows and Wake On LAN options…
- MSI and ZAP Installer Only. The only supported applications formats are the more popular MSI installer and the lesser known ZAP package format. This is somewhat restrictive and again software deployment tools like SCCM are vasty superior as they support any sort of installation method.
- Fixed Application Install Order. When you add application to the Group Policy Object they install onto the computer in the same order with no way of changing this order.
- Nill Visibility. When you go to deploy software using Group Policy the configuration it pushed to the computers but there is never any feedback on weather the software has successfully installed. This lack of visibility could mean you think you have deployed something to all your computers successfully but in reality it has failed to install on many of the computers.
- Poor Scoping. When you deploy software using Group Policy you can only specify a UNC path as the location to install the software from. If you have specified a single server in head office this would mean that all the workstation at remote sites will try and download and install over the WAN… Not good. I will make a few recommendation further on as to how to mitigate this however other deployment software tools (again like SCCM) handle this much more automatically which can reduce you admin overhead.
Now that I have sufficiently warned you about Group Policy Software Deployment I would also say there is one exception to this rule where and that is Agent software Deployment. Weather it is SCCM Agent or InTune or even a Anit-Virus software package GP Software deployment is good at deploying the same software package to a large number of computers.
And speaking of services that require agents…
Windows InTune is a new services that is offered by Microsoft that allows IT administrators to manage and monitor computers via a web based console. This service has been often referred to as SCCM in the cloud as it allows you to manage many workstations without the need for any server infrastructure.
For more information on Windows InTune visit http://www.windowsintune.com/
While there is no software to install on servers for the InTune to work it does require you deploy a management client to your workstations. This client software can be either installed manually but when you have 10+ computer in your organisation this can quickly become a management nightmare so Microsoft also provides a way to deploy the InTune client via Group Policy.
Configuring the application install files for Group Policy Deployment
Step 1: Go to Windows Intune website and download the InTune Client software.
Step 2: Right click on “Windows_Intune_Setup.zip” and select the “Extract All” option
Step 3: Extract the contents of the “Windows_Intune_Setup.exe” to the current folder by opening up a command prompt and running “Windows_Intune_Setup.exe /extract .”.
Step 4: Copy the all the files (see below) to the software distribution file share in your organisation .
- Windows_Intune_Setup.exe
- Windows_Intune_X64.msi
- Windows_Intune_X86.msi
- WindowsIntune.accountcert
You have now setup the installation files for the InTune client (or other software) ready to be deployed in your organisation.
Tip #2: This location needs to have read permission for the “Domain Computers” group applied so that the computer can download and install the files.
Configuring the Group Policy Object for Software Deployment
Step 5: Edit a Group Policy Object that is applied to all the workstation that you want to deploy the InTune client.
Step 6: Navigate to “Computer Configuration > Policies > Software Settings > Software installation” then right click on “Software installation” then click on “New” then “Packages”
Step 7: Navigate to the path that you placed the installation files and select “Windows_Intune_X64.msi” then click “Open”
Tip #3: If you have x86 client repeat from step 7 with the additional steps in my other article How to prevent x86 (32bit) applications installing via Group Policy on Windows x64 to prevent the x86 version from being deployed to the x64 platforms.
Step 8: Click on “Advanced” and then click “OK”
Tip #4: Wait a few seconds while it reads the MSI…
Step 9: As this is a x64 version of the application I recommend that you Add “ x64” to the name of the program to distinguish what version you have deployed.
Step 10 (Optional): If you want to selectively deploy the client to the workstations click on the “Security” tab and click the “Advanced”.
Step 11 (Optional): Un-tick “Include inheritable permission from this object’s parent.
Step 12 (Optional): Click “Add”
Step 13 (Optional): Click “OK”
Step 14 (Optional): Click on “Authenticated Users” and click on “Remove”
Step 15 (Optional): Click “Add” and select the security group name (e.g. “InTune Computers”) that will be used to assign this application to specific computers.
Step 16 (Optional): Click on “OK”
Step 15: Accept all other default setting and click “OK”
You should now see something like the image below… The software will now install on the selected computer’s at the next reboot….
InTune Note: The client software that you downloaded from the InTune web site is customised for your computers so they will automatically appear in your InTune web console.
Tip #5: If you also have Verbose vs normal status messages enabled you will see the software being installed during computer start-up.
How to configure your Distribution Share for Group Policy Software Deployment
See Part 2 Best Practice: Configuring a Software Library for Group Policy Software Deployment
