In my previous articles, I discussed installing a program using PSExec and PowerShell remotely.
In the present article, I will discuss how to deploy Software using Windows group policy.
Group Policies can be a powerful tool for managing users and computers in a Windows network. They can be used to improve security, enforce company policies, and make it easier to manage users and computers.
The Pre-requisites
To deploy Software using group policies, the system must meet some pre-requisites:
- The computers where you want to deploy the Software must be part of a domain network.
- Sufficient permissions to access and install Software on the target computers. This may require administrative rights on the target computers.
- A shared network folder that contains the installation files for the Software you want to install.
- The network must be configured to allow communication between the Server where the shared folder is hosted and the target computer. This may require configuring firewalls.
- The software installation files must be in a format that can be deployed using Group Policy. This typically includes .msi files.
Meeting The Requirements
Create The Shared Folder
This step consists of creating a shared folder on a server or network location (eg, NAS) with software installation files.
Ensure that folder permissions allow access to computers that need to install the Software. Avoid giving everyone permission to access this folder; this represents a security risk.
After removing the everyone’s group from share permissions, add the “Domain Users” and “Domain Computers” groups to the share permissions, and give them read permissions.
Configure The Firewall Permissions on The Server
After creating the shared folder and giving the appropriate permissions, you must ensure that the Server’s firewall allows incoming file access requests from target computers.
Open Windows Defender Firewall from the Control Panel, then click on “Advanced Settings”.
In the displayed Window, double-click on “Inbound Rules” then click on the “File and Printer Sharing (SMB-IN)” rule for the “Domain” profile, then enable it.
Make sure the rule is set to “Allow” traffic.
Prepare the Software Installation Package
Now you need to download the Installation package of the Software you want to install.
There are two types of Installation programs: online and offline Installer.
For your remote installation, you need to download the offline Installer, which contains all the necessary files to perform the installation, without having to connect to the internet to download the missing files.
Since Windows Group Policy accepts only .msi packages to deploy Software, you need to deploy this one from the editor website.
If the Software editor offers only the executable package, you can try to extract the MSI package from it.
In this article, I will deploy the Acrobat Reader application using the executable Installer, extracting the MSI package using 7-Zip.
- Right-click on the Acrobat Reader executable installer, click the 7-Zip menu, then click Extract here.
- Copy the extracted files to the shared folder.
Create the GPO to Deploy Software to Remote Computers
Open Group Policy Management Console.
- Create a new policy and give it a name (e.g. Deploy-Software)
- Edit the new policy.
- Navigate to Computer Configuration > Policies > Software Setting > Software installation.
- Right-click Software Installation and select New > Package
- Select the MSI package from the shared folder.
- For the deployment method, select “Assigned” and click OK. Published is grayed out as this option is only available when deploying Software to users.
That completes the GPO configuration. The GPO settings should look like this.
The Software will only be installed during a reboot, and the computer must update its GPO settings. GPO settings will refresh automatically every 90 minutes.
To force the GPO settings to apply on the computer, use the “gpupdate /force” command.
You will be asked to restart the computer to enable the policy settings.
The Software will be installed on reboot.
Note: For more details on the difference between Assigned vs published deployment mode, check the Microsoft documentation.
Mistakes to avoid when remotely installing Software on Windows
- Not checking system requirements: Before installing any software, it’s essential to check the system requirements to ensure that the Software is compatible with the target PC’s operating system and hardware.
- Not testing the installation process: Before installing Software remotely, it’s a good idea to test the installation process on a test machine to ensure that everything works as expected. This will help you identify and fix any issues before deploying the Software to production machines.
- Not checking for conflicts: Installing new Software on a computer with conflicting Software can cause unexpected problems. Before you install any software remotely, ensure there are no conflicts with existing Software.
- Not communicating with end-users: When you remotely install Software on a user’s computer, it’s important to communicate with the user to let them know what to expect. This can include letting them know when the installation will take place and what steps they need to take, if any.
- Not having a backup plan: Even with careful planning and testing, things can go wrong during the remote installation. It’s essential to have a backup plan in place in case something goes wrong. This can include having a plan to roll back the installation or having a backup image of the computer.