Performing Software Installation with Group Policy Lesson 9.

Performing Software Performing Software Installation with Installation with

Group PolicyGroup PolicyLesson 9

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Managing Software Through Group Policy

Configure software deployment GPOs

4.5

Lesson 9Lesson 9

Software Life Cycle

Planning

Implementation

Maintenance

Removal

Lesson 9Lesson 9

Configuring Software Installation Defaults

Open the Group Policy Management Editor window for an existing GPO.

Expand the User Configuration or the Computer Configuration node, followed by Software Settings.

Right-click the appropriate Software Installation node, and then click Properties.

Lesson 9Lesson 9

Configuring Software Installation Defaults (cont.)

In the General tab of the Software Installation Properties dialog box, key the Uniform Naming Convention (UNC) path (\\servername\ sharename) to the software distribution point for the Windows Installer packages (.msi files) in the GPO in the Default Package Location box.

In the New Packages section on the General tab, select one of the options listed.

Lesson 9Lesson 9

Configuring Software Installation Defaults (cont.)

In the Installation User Interface Options section, select one of the options listed.

Click the Advanced tab, and select any of the listed options to apply the options to all packages in the GPO.

Lesson 9Lesson 9

Configuring Software Installation Defaults (cont.)

In the Application Precedence list box, move the application with the highest precedence to the top of the list using the Up or Down buttons.

Click the Categories tab, and then click Add.

Lesson 9Lesson 9

Configuring Software Installation Defaults (cont.)

Key the name of the application category to be used for the domain in the Category box, and click OK.

Click OK to save your changes.

Lesson 9Lesson 9

Creating a New Software Installation Package

Open the Group Policy Management Editor for the GPO you wish to configure.

In the Computer Configuration or User Configuration node, drill down to Software Settings.

Right-click the Software Installation node, select New, and then click Package.

Lesson 9Lesson 9

Creating a New Software Installation Package (cont.)

In the File Name list, key the UNC path to the software distribution point for the Windows Installer packages (.msi files), and then click Open.

Lesson 9Lesson 9

Creating a New Software Installation Package (cont.)

Select one of the options listed.

If you selected Published or Assigned, the Windows Installer package has been successfully added to the GPO and appears in the Details pane.

Lesson 9Lesson 9

Creating a New Software Installation Package (cont.)

If you selected Advanced, the Properties dialog box for the Windows Installer package opens to permit you to set properties for the Windows Installer package, including deployment options and modifications.

Make the necessary modification, and click OK.

Lesson 9Lesson 9

Configuring Software Restriction PoliciesUnrestricted

Disallowed

Basic User

Lesson 9Lesson 9

Modifying the Default Security Level

In the Group Policy Management Editor window for the desired policy, expand the Software Restriction Policies node from either the Computer Configuration\Windows Settings\ Security Settings or User Configuration\Windows Settings\Security Settings node.

If a software restriction policy is not already defined, right-click Software Restriction Policies, and select New Software Restriction Policies.

Lesson 9Lesson 9

Modifying the Default Security Level (cont.)

In the details pane, double-click Security Levels.

Right-click the security level that you want to set as the default, and then click Set As Default.

Lesson 9Lesson 9

Configuring Software Restriction Rules

Hash rule

Certificate rule

Path rule

Network zone rule

Lesson 9Lesson 9

You Learned

Group Policy can be used to deploy new software on your network and remove or repair software originally deployed by a GPO from your network. This functionality is provided by the Windows Installer service within the Software Installation extension of either the User Configuration\Software Settings or Computer Configuration\Software Settings node.

Lesson 9Lesson 9

You Learned (cont.)

Three types of package files are used with the Windows Installer service: .msi files for standard software installation, .mst files for customized software installation, and .msp files for patching .msi files at the time of deployment. All pertinent files must reside in the same file system directory.

Lesson 9Lesson 9

You Learned (cont.)

A .zap file can be written to allow non–Windows Installer–compliant applications to be deployed. A .zap file does not support automatic repair, customized installations, or automatic software removal. In addition, these files must be published.

Lesson 9Lesson 9

You Learned (cont.)

A shared folder named a software distribution point must be created to store application installation and package files that are to be deployed using Group Policy. Users must have the NTFS Read permission to this folder for software installation policies to function.

Lesson 9Lesson 9

You Learned (cont.)

Software to be deployed using Group Policy can either be Assigned or Published. Assigning software using the User Configuration node of a Group Policy allows the application to be installed when the user accesses the program using the Start menu or an associated file. Assigning software can also be performed using the Computer Configuration node of a Group Policy, which forces the application to be installed during computer startup.

Lesson 9Lesson 9

You Learned (cont.)

Publishing an application allows the application to be available through Add Or Remove Programs in Control Panel. In addition, published applications can be divided into domain-wide software categories for ease of use.

Lesson 9Lesson 9

You Learned (cont.)

Software restriction policies were introduced in Windows Server 2003 and allow the software's executable code to be identified and either allowed or disallowed on the network.

Lesson 9Lesson 9

You Learned (cont.)

The three Default Security Levels within Software Restriction Policies are Unrestricted, which means all applications function based on user permissions; Disallowed, which means all applications are denied execution regardless of the user permissions; and Basic User, which allows only executables to be run that can be run by normal users.

Lesson 9Lesson 9

You Learned (cont.)

Four rule types can be defined within a Software Restriction Policy. They include, in order of precedence, hash, certificate, network zone, and path rules. The security level set on a specific rule supersedes the Default Security Level of the policy.

Lesson 9Lesson 9

You Learned (cont.)

Enforcement properties within Software Restriction Policies allow the administrator to control users affected by the policy. Administrators can be excluded from the policy application so that it does not hamper their administrative capabilities.

Lesson 9Lesson 9

You Learned (cont.)

Certificate rules require enabling the System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies located in Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options.

Lesson 9Lesson 9

You Learned (cont.)

Path rules can point to either a file system directory location or a registry path location. The registry path location is the more secure option of the two choices because the registry key location changes automatically if the software is reinstalled. In contrast, if a file system directory is blocked for executables, the program can still run from an alternate location if it is moved or copied there, allowing the possibility of a security breach.