1. Understanding Group Policy Software Installation
Group Policy software installation (GPSI) is used to create a
managed software environment that has the following
characteristics:
-
Users have access to the applications they need to do their
jobs, no matter which computer they log on to. -
Computers have the required applications, without
intervention from a technical support representative. -
Applications can be updated, maintained, or removed to meet
the needs of the organization.
The software installation extension is one of the many
client-side extensions (CSEs) that support change and configuration
management using Group Policy. The extension
allows you to centrally manage the initial deployment, the upgrades,
and the removal of software.
Windows Installer Packages
GPSI uses the Windows Installer service to install, maintain, and remove software. The
Windows Installer service manages software, using information
contained in the application’s Windows Installer package. The
Windows Installer package is in a file with an .msi extension that describes the installed state of
the application. The package contains explicit instructions
regarding the installation and removal of an application. You can
customize Windows Installer packages by using one of the
following types of files:
-
Transform (.mst)
These files provide a means for customizing the
installation of an application. Some applications provide
wizards or templates that permit a user to create transforms.
For example, Adobe provides an enterprise deployment tool for
Adobe Acrobat Reader that generates a transform. Many
enterprises use the transform to configure agreement with the
end user license agreement and to disable certain features of
the application such as automatic updates that involve access to
the Internet. -
Patch (.msp)
These files are used to update an existing
.msi file for security updates, bug fixes, and
service packs. An .msp file provides instructions
about applying the updated files and registry keys in the
software patch, service pack, or software update. For example,
updates to Microsoft Office 2003 and later are provided as .msp
files.
Note
GPSI AND WINDOWS INSTALLER
PACKAGES
GPSI can fully manage applications only if the applications
are deployed using Windows Installer packages. Other tools,
including Configuration Manager and SMS, can manage applications
that use other deployment mechanisms.
The .msi file transforms, and other files required to install
an application are stored in a shared SDP.
Software Deployment Options
You can deploy software by assigning applications to users or
computers or by publishing applications for users. You
assign required or mandatory software to users
or computers. You publish software that users
might find useful in performing their jobs.
When you assign an application to a user, the
application’s local registry settings, including file name
extensions, are updated and its shortcuts are created on the
Start menu or desktop, thus advertising the availability of the
application. The application advertisement follows the user
regardless of which physical computer he or she logs on to. This
application is installed the first time the user activates the
application on the computer, either by selecting the application
on the Start menu or by opening a document associated with the
application. When you assign an application to the computer, the
application is installed during the computer’s startup
process.
When you publish an application to users, the application
does not appear as if it is installed on the users’ computers.
No shortcuts are visible on the desktop or Start menu. Instead,
the application appears as an available application for the user
to install by using Add Or Remove Programs in Control Panel on a
Windows XP system or in Programs And Features on a Windows
Server 2008, Windows Vista, or later system. Additionally, the
application can be installed when a user opens a file type
associated with the application. For example, if Acrobat Reader
is published to users, it is installed if a user opens a file
with a .pdf extension.
Given that applications can be either assigned or
published and targeted to users or computers, you can establish
a workable combination to meet your software management goals.
Table 1 describes
the different software deployment options.
Table 1. Software Deployment Options
|
PUBLISH (USER ONLY) |
ASSIGN (USER) |
ASSIGN (COMPUTER) |
|---|
|
After deployment of the GPO, the software
is available for installation: |
The next time a user logs
on. |
The next time a user logs
on. |
The next time the computer
starts. | |
Typically, the user installs the software
from: |
Control Panel Add Or Remove Programs
(Windows XP) or Programs And Features (Windows Server
2008, Windows Vista, and later). |
The Start menu or a desktop shortcut. An
application can also be configured to install
automatically at logon. |
The software is installed automatically
when the computer starts. | |
If the software is not installed and the
user opens a file associated with the software, does the
software install? |
Yes (if auto-install is
enabled). |
Yes. |
Does not apply; the software is already
installed. | |
Can the user remove the software by using
Control Panel? |
Yes, and the user can choose to install it
again from Control Panel. |
Yes, and the software is available for
installation again from the Start menu, shortcuts, or
file associations. |
No. Only a local administrator can remove
the software; a user can run a repair on the
software. | |
Supported installation
files: |
Windows Installer packages (.msi files) and
.zap files. |
Windows Installer packages (.msi
files). |
Windows Installer packages (.msi
files). |
Now that you understand GPSI at a high level, you are ready to
prepare the SDP. The SDP is simply a shared folder from which users
and computers can install applications. Create a shared folder and create a
separate folder for each application. Then copy the software package,
modifications, and all other necessary files to the application
folders. Set appropriate permissions on the folders that allow users
or computers Read & Execute permission—the minimum permission
required to successfully install an application from the SDP. The
administrators of the SDP must be able to change and delete files to
maintain the SDP over time.
3. Creating a Software Deployment GPO
To create a software deployment GPO:
-
Use the Group Policy Management console to create a new GPO
or select an existing GPO. -
Edit the GPO using the Group Policy Management
Editor. -
Expand the console nodes Computer
Configuration\Policies\Software Settings\Software Installation. Alternately, select the
Software Installation node in the User Configuration
branch. -
Right-click Software Installation, point to New, and then
click Package. -
Browse to locate the .msi file for the application. Click
Open.
The Deploy Software dialog box appears, shown in Figure 1.
-
Select Published, Assigned, or Advanced.
You cannot publish an application to computers, so the
option will not be available if you are creating the package in
the Software Installation node in Computer Configuration.
The Advanced option lets you specify whether the application
is published or assigned and gives you the opportunity to
configure advanced properties of the software package. Therefore,
it is recommended that you choose Advanced. The package properties
dialog box appears. Among the more important properties that you
can configure are the following choices:
-
Deployment Type On the
Deployment tab, configure Published or Assigned. -
Deployment Options Based
on the selected deployment type, different choices appear in
the Deployment Options section. These options, along with
other settings on the Deployment tab, manage the behavior of
the application installation. -
Uninstall This Application When It
Falls Out Of The Scope Of Management If this option
is selected, the application will be automatically removed
when the GPO no longer applies to the user or computer. -
Upgrades On the Upgrades
tab, you can specify the software that this package will upgrade. -
Categories
The Categories tab allows you to associate the
package with one or more categories. Categories are used when
an application is published to a user. When the user goes to
Control Panel to install a program, applications published
using GPSI are presented in groups based on these
categories.
To create categories that are available to associate
with packages, right-click Software Installation and click
Properties; then click the Categories tab. -
Modifications If you have
a transform (.mst file) that customizes the package, click Add
to associate the transform with the package. Most tabs in the
package Properties dialog box are available for you to change
settings at any time. However, the Modifications tab is
available only when you create the new package and choose the
Advanced option shown in Figure 1.
3. Managing the Scope of a Software Deployment GPO
After you have created a software deployment GPO, you can scope the GPO to
distribute the software to appropriate computers or users. In many
software management scenarios, applications should be assigned to
computers rather than to users. This is because most software licenses
allow an application to be installed on one computer, and if the
application is assigned to a user, the application is installed on
each computer to which the user logs on.
You can scope a
GPO by linking the GPO to an OU or by filtering the GPO so that it
applies only to a selected global security group. Many organizations
find that it is easiest to manage software by linking an application’s
GPO to the domain and filtering the GPO with a global security group
that contains the users and computers to which the application should
be deployed. For example, a GPO that deploys the XML Notepad tool (available from the Microsoft downloads
site at http://www.microsoft.com/downloads)
would be linked to the domain and filtered with a group containing
developers that require the tool. The group would have a descriptive
name that indicates its purpose to manage the deployment of XML
Notepad—APP_XML Notepad, for example. |
