Professional Documents
Culture Documents
Performing Software Installation With Group Policy
Performing Software Installation With Group Policy
with Group
Policy
Lesson
9
Skills Matrix
Technology Skill
Objective Domain
Objective #
Managing Software
Through Group Policy
Configure software
deployment GPOs
4.5
.MSI File
Microsoft Windows Server 2008 uses the
Windows Installer with Group Policy to
install and manage software that is
packaged into an .msi file.
The Windows Installer Service, responsible
for automating the installation and
configuration of the designated software.
The Windows Installer Service requires a
package file (.msi file) that contains all of
the pertinent information about the
software.
MSI File
The .msi file:
Is a relational database file that is copied to
the target computer system with the program
files it deploys.
Assists in the self-healing process for damaged
applications and clean application removal.
Consists of external source files that may be
required for the installation or removal of
software.
Includes summary information about the
software and the package.
Includes reference point to the path where the
installation files are located.
.MST File
You may need to modify Windows
Installer files to better suit the needs
of your corporate network.
Modifications to .msi files require
transform files, which have an .mst
extension.
ZAP File
When repackaging an application is not an option and
a Windows Installer file is not available, you can use
a .zap file to publish an application.
A .zap file is a nonWindows Installer package that can
be created in a text editor.
The disadvantages of creating .zap files are as follows:
They can be published, but not assigned.
Deployments require user intervention, instead of being
fully unattended.
Local administrator permissions might be required to
perform the installation.
They do not support custom installations or automatic
repair.
They do not support the removal of applications that are no
longer needed or applications that failed to install properly.
Publishing Software
You can publish a program distribution to users.
When the user logs on to the computer, the
published program is displayed in the Add or
Remove Programs dialog box, and it can be
installed from there.
Certificate
You can build Certificate rules by providing a
code-signing software publisher certificate.
Certificate rules apply no matter where the
program file is located or what it is named.
Internet Zone
Apply software restriction policy rules based
on the Microsoft Internet Explorer security
zone in which the program is run.
Currently, these rules apply only to Microsoft
Windows Installer packages that are run from
the zone. Internet Zone rules do not apply to
programs that are downloaded by Internet
Explorer.
Summary
Group Policy can be used to deploy
new software on your network and
remove or repair software originally
deployed by a GPO from your network.
This functionality is provided by the
Windows Installer service within the
Software Installation extension of
either the User Configuration\Software
Settings or Computer
Configuration\Software Settings node.
Summary
Three types of package files are used
with the Windows Installer service:
.msi files for standard software
installation.
.mst files for customized software
installation.
.msp files for patching .msi files at the
time of deployment.
Summary
A .zap file can be written to allow
nonWindows Installercompliant
applications to be deployed.
A .zap file does not support automatic
repair, customized installations, or
automatic software removal.
In addition, these files must be
published.
Summary
A shared folder named a software
distribution point must be created to
store application installation and
package files that are to be deployed
using Group Policy.
Users must have the NTFS Read
permission to this folder for software
installation policies to function.
Summary
Software to be deployed using Group Policy
can either be Assigned or Published.
Assigning software using the User
Configuration node of a Group Policy allows
the application to be installed when the
user accesses the program using the Start
menu or an associated file.
Assigning software can also be performed
using the Computer Configuration node of a
Group Policy, which forces the application
to be installed during computer startup.
Summary
Publishing an application allows the
application to be available through
Add Or Remove Programs in Control
Panel.
In addition, published applications
can be divided into domain-wide
software categories for ease of use.
Summary
Software restriction policies were
introduced in Windows Server 2003
and allow the software's executable
code to be identified and either
allowed or disallowed on the
network.
Summary
The three Default Security Levels within
Software Restriction Policies are:
Unrestricted, which means all
applications function based on user
permissions.
Disallowed, which means all applications
are denied execution regardless of the
user permissions.
Basic User, which allows only executables
to be run that can be run by normal
users.
Summary
Four rule types can be defined within
a Software Restriction Policy.
They include, in order of precedence,
hash, certificate, network zone, and
path rules.
The security level set on a specific
rule supersedes the Default Security
Level of the policy.
Summary
Enforcement properties within
Software Restriction Policies allow
the administrator to control users
affected by the policy.
Administrators can be excluded from
the policy application so that it does
not hamper their administrative
capabilities.
Summary
Certificate rules require enabling the
System settings: Use Certificate
Rules on Windows Executables for
Software Restriction Policies located
in Computer Configuration\Windows
Settings\Security Settings\Local
Policies\ Security Options.
Summary
Path rules can point to either a file system
directory location or a registry path location.
The registry path location is the more
secure option of the two choices because
the registry key location changes
automatically if the software is reinstalled.
In contrast, if a file system directory is
blocked for executables, the program can
still run from an alternate location if it is
moved or copied there, allowing the
possibility of a security breach.