1
00:00:03,060 --> 00:00:03,470
Okay.

2
00:00:03,480 --> 00:00:07,650
In this module, I'm going to talk about deploying software using group policy.

3
00:00:08,550 --> 00:00:13,800
So one of the capabilities of group policy is the ability to deploy or install software.

4
00:00:14,720 --> 00:00:19,340
It's sort of a I would call it a rudimentary software distribution capability.

5
00:00:20,280 --> 00:00:25,980
So unlike products like system centered configuration manager or other third party software distribution

6
00:00:25,980 --> 00:00:31,530
products, the group policy software installation feature in the group policy engine is fairly limited

7
00:00:31,530 --> 00:00:32,490
in what it can do.

8
00:00:33,330 --> 00:00:38,580
So what it does provide, other than that basic software distribution capability is you're going to

9
00:00:38,580 --> 00:00:45,960
only install MSI or Windows Installer packages so that the setup has to be in an MSI format in order

10
00:00:45,960 --> 00:00:49,410
for it to work with the group policy software installation feature.

11
00:00:50,300 --> 00:00:55,130
There's a small fringe exception to that that I'm really not going to cover because it kind of limits

12
00:00:55,130 --> 00:00:57,550
the capabilities of the search function.

13
00:00:57,560 --> 00:00:59,750
But and it's called zap packaging.

14
00:00:59,750 --> 00:01:04,730
And it's it goes way back to the very beginning of group policy and really isn't used anymore.

15
00:01:05,620 --> 00:01:10,240
But it does provide a limited amount of capabilities around non MSI deployment.

16
00:01:11,140 --> 00:01:16,180
You can do either per computer or per user targeting as is normal with group policy.

17
00:01:17,080 --> 00:01:23,620
So you can deploy a package to a computer or group of computers, or you can deploy it to users.

18
00:01:24,520 --> 00:01:30,130
So whenever a user logs on to a computer, if they have a package deployed to them and it's not already

19
00:01:30,130 --> 00:01:32,290
installed, it gets installed on that computer.

20
00:01:33,190 --> 00:01:37,900
You can do some level of lifecycle support with the group policy software deployment feature.

21
00:01:37,900 --> 00:01:41,080
So that includes things like upgrades, patches and removals.

22
00:01:41,980 --> 00:01:43,840
You can also redeploy software.

23
00:01:43,870 --> 00:01:49,210
So if you if it's been deployed and for whatever reason, it's not getting there or it's not triggering

24
00:01:49,210 --> 00:01:52,780
a deployment on the target system, you can actually do a redeploy.

25
00:01:53,620 --> 00:01:57,850
Now let's look at what it doesn't provide, which is probably more relevant.

26
00:01:58,770 --> 00:02:04,110
I will say that to put it in context, a group policy software deployment feature is really designed

27
00:02:04,110 --> 00:02:09,360
for small or medium shops that don't want to spend the money of a big, you know, software distribution

28
00:02:09,360 --> 00:02:15,360
package like system center configuration manager and just need some basic software deployment capability.

29
00:02:16,230 --> 00:02:21,510
So what software deployment and group policy does not provide is, as I've mentioned, support for,

30
00:02:21,540 --> 00:02:26,130
you know, full featured support for other types of setup packages other than MCI.

31
00:02:26,970 --> 00:02:32,070
So Daddy Yankee or whatever deployment packages you might have, you know, a good example might be

32
00:02:32,070 --> 00:02:35,100
the new modern app format within Windows eight and above.

33
00:02:36,030 --> 00:02:43,470
No support for any of those kinds of packages, no inventory or reporting on the distribution of software.

34
00:02:44,410 --> 00:02:51,640
So you there's no way centrally to find out if you know, if you've deployed to 100 computers in an

35
00:02:51,640 --> 00:02:56,140
O you, there's no way to know that all 100 of those computers have gotten the package.

36
00:02:57,040 --> 00:02:58,570
There's no reporting back.

37
00:02:59,480 --> 00:03:04,970
There's you know, the upgrade feature is not what I would call easy in group policy software deployment.

38
00:03:05,890 --> 00:03:07,900
It's quite brittle and somewhat limited.

39
00:03:08,080 --> 00:03:13,720
So there's really not, what I would say, robust upgrade capability within the product and there's

40
00:03:13,720 --> 00:03:17,890
no concept of kind of per node management of the deployed software.

41
00:03:18,790 --> 00:03:22,930
So you can't go in and, you know, re push a package to just one system.

42
00:03:23,770 --> 00:03:29,080
It's limited by virtue of the fact that with group policy targeting you're typically generally targeting

43
00:03:29,080 --> 00:03:32,110
a whole oyu or a group of computers or users.

44
00:03:32,980 --> 00:03:38,680
And so it's not, there's no real concept of being able to manage a single nodes softer deployment state

45
00:03:39,580 --> 00:03:44,260
redeploy to just that node out of the 100 that have been targeted by that GPO.

46
00:03:45,130 --> 00:03:47,620
So really kind of limited in that respect.

47
00:03:48,520 --> 00:03:52,900
Now let's look at some of the features that are in group policy software installation.

48
00:03:53,770 --> 00:03:58,990
So there's this notion of per user assignment or publishing, and I'll talk more about assigning and

49
00:03:58,990 --> 00:04:01,300
publishing and the differences of those in a bit.

50
00:04:02,180 --> 00:04:07,580
There's the support for upgrade relationships and this is how they're referred to in Zealand.

51
00:04:08,510 --> 00:04:13,580
It's basically this ability to say that if you'd already deployed version one in oh eight, you can

52
00:04:13,580 --> 00:04:19,940
create an upgrade relationship to version two of the same package in GPO B and have all the clients

53
00:04:19,940 --> 00:04:22,880
that have installed, you know, the version one get the upgrade.

54
00:04:23,780 --> 00:04:28,880
There's support for something called Transforms, which is a feature of Windows Installer MSA packages

55
00:04:28,880 --> 00:04:33,080
that allow you to modify a vendor's MSI set up to do custom installation.

56
00:04:33,950 --> 00:04:39,710
So as a typical example might be in the old days you could deploy Microsoft Office when it shipped as

57
00:04:39,710 --> 00:04:46,160
an MSI, and if you only wanted to install PowerPoint, you could write a transform for the office setup

58
00:04:46,160 --> 00:04:47,990
that would only install PowerPoint.

59
00:04:48,890 --> 00:04:51,560
Per computer assignment is another feature.

60
00:04:52,500 --> 00:04:56,070
This is the ability to assign applications to the computers.

61
00:04:56,940 --> 00:05:00,640
You also get automatic elevation of privileges during installation.

62
00:05:00,660 --> 00:05:06,540
So if the user if the application requires admin rights and the user doesn't have it, then Gypsy takes

63
00:05:06,540 --> 00:05:07,170
care of that.

64
00:05:08,040 --> 00:05:13,260
And then this kind of ability to do what's called install on first use, which is that the application

65
00:05:13,260 --> 00:05:18,630
is not really fully installed on the target, whether it's a computer or a user, until the user triggers

66
00:05:18,630 --> 00:05:19,920
something that requires it.

67
00:05:20,850 --> 00:05:26,430
For example, they click on a word document in an email attachment and word gets installed on demand.

68
00:05:27,360 --> 00:05:33,780
So to define software installation policy, you can find it under computer configuration or user configuration

69
00:05:33,780 --> 00:05:36,780
in these paths for computer packages can only be assigned.

70
00:05:36,960 --> 00:05:43,410
So you can only do assignment of a per computer package and it does require a reboot of the computer

71
00:05:43,410 --> 00:05:48,510
to trigger the install per user packages can be published or assigned.

72
00:05:49,410 --> 00:05:54,960
Published is for kind of install on first use or install by the user types of packages where you don't

73
00:05:54,960 --> 00:05:57,570
necessarily need the software right there right now.

74
00:05:58,470 --> 00:06:02,820
Assigned packages do require a re log on by the user to get the install.

75
00:06:03,770 --> 00:06:09,380
So let's take a look at this and like dig in on a real system and see what this actually looks like.