1
00:00:03,030 --> 00:00:08,070
So now I want to show you some of the options that are available and some of the best practices around

2
00:00:08,070 --> 00:00:11,010
deploying software packages using group policy.

3
00:00:11,890 --> 00:00:15,790
When you deploy a package, you'll see this advanced page that comes up.

4
00:00:16,610 --> 00:00:20,840
And it gives you the ability to set a bunch of options on the package deployment.

5
00:00:21,800 --> 00:00:26,120
So for example, you can set the deployment type to either published or assigned.

6
00:00:27,010 --> 00:00:31,750
And if this were a per computer deployment, you wouldn't see the published option or it would be grayed

7
00:00:31,750 --> 00:00:32,050
out.

8
00:00:32,230 --> 00:00:34,450
So you'd only have the ability to assign.

9
00:00:35,290 --> 00:00:39,970
And then you've got a bunch of deployment options like the install on first use option, which allows

10
00:00:39,970 --> 00:00:42,790
you to install an application by the file extension.

11
00:00:43,630 --> 00:00:49,210
And what that means is, as in the example I gave previously, if you get a PDF file as an attachment

12
00:00:49,210 --> 00:00:54,700
and you don't have a PDF reader installed the first time you click on that PDF, if the PDF reader has

13
00:00:54,700 --> 00:00:58,210
been published to the user, it will automatically trigger the install.

14
00:00:59,080 --> 00:01:00,670
The install will occur.

15
00:01:01,590 --> 00:01:02,070
Package.

16
00:01:02,070 --> 00:01:06,570
The reader will be installed and it will open with that document that the user clicked on.

17
00:01:07,440 --> 00:01:10,500
So this is kind of the install on first use model.

18
00:01:11,370 --> 00:01:16,560
The other option below it uninstall is its application when it falls out of the scope of management

19
00:01:16,740 --> 00:01:20,520
means that the app gets removed when the GPO is no longer in scope.

20
00:01:21,390 --> 00:01:27,300
So for example, if the GPL that delivered the app, the Adobe Reader package gets deleted or unlinked,

21
00:01:27,300 --> 00:01:32,280
or the user moves from one you where the GPO exists or is linked to another where it's not.

22
00:01:32,400 --> 00:01:38,280
Then the package will be installed when the user logs on the next time, and then you have the option

23
00:01:38,280 --> 00:01:42,810
for published apps to not have them appear in the add remove programs, control panel applet.

24
00:01:43,710 --> 00:01:44,790
That is the default.

25
00:01:44,880 --> 00:01:51,360
So when you publish an application, it will automatically appear in add removed programs, but you

26
00:01:51,360 --> 00:01:51,840
can tell it.

27
00:01:51,840 --> 00:01:53,000
I don't want to do that.

28
00:01:53,010 --> 00:01:58,860
I'd rather, you know, basically not have it appear so the user doesn't have a choice of when they

29
00:01:58,860 --> 00:02:03,090
install, it gets installed, for example, when they click on that PDF file.

30
00:02:03,920 --> 00:02:09,470
And then you can also choose the UI that appears when the application or the package is installing.

31
00:02:10,340 --> 00:02:15,890
So in most cases, you're going to want to choose basic unless you want the user to get a lot of feedback

32
00:02:15,890 --> 00:02:17,870
about what's going on in the installation.

33
00:02:18,740 --> 00:02:25,340
So basic is as close to silent as you can get in an installation of group using group policy for a package.

34
00:02:26,210 --> 00:02:28,280
Now, some other package options.

35
00:02:28,310 --> 00:02:33,730
There's a bunch of tabs within this dialog you can set upgrade relationships.

36
00:02:33,740 --> 00:02:35,450
And I talked about this earlier.

37
00:02:36,400 --> 00:02:40,750
So if I had packages that upgraded my current package, I could add them here.

38
00:02:41,650 --> 00:02:46,870
Again, I can use I can select the categories for the application that I'm publishing.

39
00:02:47,770 --> 00:02:50,440
So as in the example I gave previously.

40
00:02:51,320 --> 00:02:56,000
If I have a utilities category, I can assign it to this Adobe Reader package.

41
00:02:56,870 --> 00:02:58,910
And I can set modifications.

42
00:02:59,810 --> 00:03:05,270
This is where you can use MSI transforms to modify the default behavior of the install package.

43
00:03:06,200 --> 00:03:13,070
So I can add and dot msg t as in tom file to this package and that transform will modify the package

44
00:03:13,070 --> 00:03:16,670
and the packages behavior as it's installed by the computer or user.

45
00:03:17,540 --> 00:03:21,310
And then finally I can actually set the security on the package.

46
00:03:22,170 --> 00:03:27,510
And this is kind of a I'd call a poor man's security group filtering for individual packages.

47
00:03:28,390 --> 00:03:33,820
It lets you if you remove, for example, the re permission from a particular group for this package,

48
00:03:33,970 --> 00:03:39,160
then even though they might process the GPL that contains this package, they will not be able to install

49
00:03:39,160 --> 00:03:42,070
the application because they don't have read permissions to it.

50
00:03:42,970 --> 00:03:48,630
So you could have, for example, a GPO with five packages deployed to the Marketing Users Group.

51
00:03:49,510 --> 00:03:54,880
But if there's a particular user in the marketing user's group that does not have red access, perhaps

52
00:03:54,880 --> 00:03:57,310
you deny read to the Adobe Reader package.

53
00:03:58,220 --> 00:04:00,530
They would not actually install that package.

54
00:04:01,460 --> 00:04:06,740
So there's some granularity you get with the security tab in terms of who actually runs those package

55
00:04:06,740 --> 00:04:07,580
installations.

56
00:04:08,510 --> 00:04:12,080
So let's shift gears and talk a little bit about best practices.

57
00:04:12,990 --> 00:04:18,810
The one best practice that I always, always have always recommend is to store your MSA installer packages

58
00:04:18,810 --> 00:04:21,450
on distributed file system or DFS shares.

59
00:04:22,350 --> 00:04:27,210
And the reason that you need to do this is if you stick it on a single server and a server share.

60
00:04:27,210 --> 00:04:32,460
If that server needs to go away, you retire the hardware or the server crashes and you're unable to

61
00:04:32,460 --> 00:04:33,060
recover it.

62
00:04:33,060 --> 00:04:39,270
That that link between the server USC path, the share path and the software that's been deployed to

63
00:04:39,270 --> 00:04:41,670
all those computers for users is broken.

64
00:04:42,540 --> 00:04:45,730
That link is broken and essentially the package is orphaned.

65
00:04:45,750 --> 00:04:52,050
You'd not be able to it won't be install from those systems or those users, but you wouldn't be able

66
00:04:52,050 --> 00:04:54,000
to upgrade that package anymore.

67
00:04:54,900 --> 00:04:57,090
You wouldn't be able to patch that package.

68
00:04:57,990 --> 00:05:04,050
So I highly recommend for a number of reasons, using DFS for storing your installer packages.

69
00:05:04,960 --> 00:05:10,510
And this is just a kind of a screenshot of the DFS management tool and how you can create a namespace.

70
00:05:11,410 --> 00:05:13,780
In this case, I called it packages.

71
00:05:14,660 --> 00:05:21,110
And underneath it there's a link to the installer share used for computer assignment unless you want

72
00:05:21,110 --> 00:05:24,050
the application to follow the user to every machine.

73
00:05:24,980 --> 00:05:30,830
So you know, there's probably very few situations where you want to use per user deployment of applications

74
00:05:31,730 --> 00:05:37,130
because it does mean that every time the user logs onto a machine where that application isn't installed,

75
00:05:37,220 --> 00:05:39,290
they're going to get that application installed.

76
00:05:40,160 --> 00:05:44,900
And if it's an application that has licensing restrictions, you're going to leave machines littered

77
00:05:44,900 --> 00:05:48,170
with installed applications that may exceed your license count.

78
00:05:49,070 --> 00:05:52,400
So I typically recommend all you can do per user.

79
00:05:52,430 --> 00:05:54,860
I typically recommend to stick with the per user.

80
00:05:54,890 --> 00:05:55,670
I'm sorry.

81
00:05:55,700 --> 00:06:01,820
Per computer assignment and then use the administrative install option of the MSI package.

82
00:06:01,850 --> 00:06:04,040
And this allows the package to be patched.

83
00:06:04,940 --> 00:06:06,710
And I'll talk about this in my demo.

84
00:06:06,890 --> 00:06:12,290
But essentially what this means is when you instead of just copying the MSI file to your DFS share,

85
00:06:12,320 --> 00:06:16,790
you're going to actually do an administrative install of the package and that does a special kind of

86
00:06:16,790 --> 00:06:20,690
deployment of the package to that share that allows it to be patched down the line.

87
00:06:21,500 --> 00:06:25,100
Don't allow users to install CI deploy packages.

88
00:06:25,130 --> 00:06:30,980
The reason for this is that essentially orphans that machine, you can't get the package back to the

89
00:06:30,980 --> 00:06:36,140
machine using group policy if the user has sort of broken the relationship between group policy and

90
00:06:36,140 --> 00:06:36,770
the machine.

91
00:06:37,610 --> 00:06:42,980
And this is kind of another brittleness of the CI feature that you definitely don't want the user being

92
00:06:42,980 --> 00:06:49,490
the one that installs a group policy deployed package and then finally transforms can only be applied

93
00:06:49,490 --> 00:06:51,560
at the time that you deploy the package.

94
00:06:52,450 --> 00:06:57,640
So if, for example, you deploy an MSI and then you decide afterwards you want to modify it with a

95
00:06:57,640 --> 00:06:59,260
transform, you can't do it.

96
00:07:00,160 --> 00:07:03,670
You can't add that transform after the package has been deployed.

97
00:07:04,570 --> 00:07:09,940
You have to recreate the package, redeploy it to all your clients with the transform assigned to it.

98
00:07:10,870 --> 00:07:15,760
So let's go now and look at walking through kind of a sample deployment using group policy software

99
00:07:15,760 --> 00:07:19,900
installation to see how this works and how you can leverage it in your environment.