MANAGING SOFTWARE Chapter 9 Briefly describe the topics covered in the chapter. Refer to the objective list at the beginning of Chapter 9, “Managing Software.”
Chapter 9: MANAGING SOFTWARE SOFTWARE LIFECYCLE Developed from the System Development Life Cycle (SDLC).
Chapter 9: MANAGING SOFTWARE WINDOWS INSTALLER Can be used with Group Policy in order to implement, maintain, and remove software Windows Installer service (client-side) Group Policy Software Installation Package (server-side) Overview of the major components; more details are coming up in future slides.
WINDOWS INSTALLER SERVICE Chapter 9: MANAGING SOFTWARE WINDOWS INSTALLER SERVICE The description of the Windows Installer service in the interface is: Adds, Modifies, And Removes Applications Provided As A Windows Installer (*.msi) Package. If this service is disabled, any services that explicitly depend on it fail to start.
SOFTWARE INSTALLATION PACKAGES Chapter 9: MANAGING SOFTWARE SOFTWARE INSTALLATION PACKAGES Obtain or create an .msi file for the application Place that file in a network share Determine if you want a computer-based or user-based installation Configure and link a GPO with the appropriate settings Software is deployed when users log on or when the computer restarts (depending on the package deployment option) This slide summarizes how software can be deployed using Windows Installer. The textbook chapters separate the concepts from the application of those concepts. The slides merge the concepts and application together in an effort to make your presentation efficient and entertaining. The students have the opportunity to practice software deployment to both users and computers in the lab.
MICROSOFT INSTALLER (.MSI) FILES Chapter 9: MANAGING SOFTWARE MICROSOFT INSTALLER (.MSI) FILES Explain the purpose of Microsoft Installer files. Point out that these Microsoft Installer files are located in a shared folder named Packages as shown in the slide. A shared folder holding applications for deployment is sometimes referred to as a software distribution point or distribution share. Placing the Microsoft Installer files in a network share is an important part of preparing them for distribution through Group Policy. For more information about the information covered in this slide see “Windows Installer” and “Creating a Distribution Share” in the textbook.
Chapter 9: MANAGING SOFTWARE DEPLOYING SOFTWARE Software can be deployed under Computer Configuration or User Configuration. When you deploy software to a computer, that software is assigned and installs the next time the computer restarts. When you deploy software to a user, that software can be either assigned or published. These concepts are covered in greater detail in future slides.
ASSIGNING SOFTWARE TO COMPUTERS Chapter 9: MANAGING SOFTWARE ASSIGNING SOFTWARE TO COMPUTERS This animated slide demonstrates creating a software deployment package for Active Directory Administration Tools. Points to make: Assign or Advanced are the only options when deploying software to computers. The Publish option is not available. Software categories can be assigned through Group Policy and will organize applications into categories in the Add Or Remove Programs applet in the Control Panel. The next slide illustrates how software categories are created as well as how they appear in Add Or Remove Programs. You can only upgrade previously created software packages. Transform (.mst) files are demonstrated later.
SOFTWARE INSTALLATION PROPERTIES Chapter 9: MANAGING SOFTWARE SOFTWARE INSTALLATION PROPERTIES This animated slide walks through the Software Installation properties in Group Policy. These properties can be configured from either the Computer Configuration Software Installation node or User Configuration Software Installation node. These properties allow you to modify the default behavior for new software packages and their options. You can also create file associations in the File Extensions tab. The one shown was automatically added by the Microsoft Office XP Professional package. These associations indicate that the application should be installed if any files of this type are clicked. For example, Microsoft Office XP can add more than 30 different file extensions, which may include .doc, .csv, .xls, and .bmp. In the Software Categories tab, the administrator can decide which software categories to create. As previously mentioned, these software categories appear on the client computer after they are created.
DEPLOYING SOFTWARE TO USERS Chapter 9: MANAGING SOFTWARE DEPLOYING SOFTWARE TO USERS This animated slide walks through the options of deploying software to users through Group Policy. You can publish or assign software to users. Also, if you choose to assign the application, you can enable the Install This Application At Logon setting, which can never be enabled in a software deployment to computers. By default, even an assigned application is not installed when the user logs on; it is just advertised in the Start Menu and installs the first time the user attempts to use that application, or when the user attempts to access a file type associated with that application. The students will see this during the lab. However, if you want to force the installation of the application when the user logs on, you can check the Install This Application At Logon option. Excepting the above differences, the deployment options for software packages to users and computers are the same.
CREATING MICROSOFT TRANSFORM (.MST) FILES Chapter 9: MANAGING SOFTWARE CREATING MICROSOFT TRANSFORM (.MST) FILES Explain the purpose of a Microsoft transform file. This animated slide demonstrates the creation of a transform file for Office XP using the Microsoft Office XP Resource Kit tools. First, the transform file is created using the Custom Installation Wizard. Once the file is created, it is displayed in the MST File Viewer. The following slide demonstrates how to actually apply the transform file to the software package.
DEPLOYING A TRANSFORMED SOFTWARE PACKAGE Chapter 9: MANAGING SOFTWARE DEPLOYING A TRANSFORMED SOFTWARE PACKAGE This animated slide demonstrates the creation of a software package using an .mst file. This slide works with the previous slide to demonstrate how to create a modified distribution of Microsoft Office XP. Explain that .mst files can only be inserted into the Modification tab if the Advanced option is used for deploying the application.
Chapter 9: MANAGING SOFTWARE REPACKAGING SOFTWARE Allows you to create Windows Installer .msi files for distribution of applications that do not ship with such files Produced by third party, non-Microsoft, companies May be capable of converting existing installer packages to the Windows Installer format May have to take before and after snapshots of system to create Windows Installer packages Wise Solutions, Inc. (http://www.wise.com) produces Windows Installer repackaging software.
Chapter 9: MANAGING SOFTWARE USING .ZAP FILES Used for older applications that do not have .msi files. Can only be published to users, not assigned to computers or users. Does not support rollback of an unsuccessful installation, modification, repair, or removal. Need to be a local administrator in order to install the application. .zap files do not take advantage of elevated privileges. These files are rarely used because of their many limitations. For more information, see Microsoft Knowledge Base article Q231747, “HOW TO: Publish non-MSI Programs with .zap files.” The article contains an example .zap file. Furthermore, the article explains how to create and publish a .zap file.
Chapter 9: MANAGING SOFTWARE REDEPLOYING PACKAGES You might need to redeploy an application if you make a change to that application. If there is a patch file for the application, and if you want to redeploy the application with the patch, you must update the .msi file. For example, if you deploy Microsoft Office XP Professional, and want to apply the Microsoft Outlook administration patch, you first need to update the .msi file with the Microsoft installer program command similar to: msiexec /a c:\package\proplus.msi /p c:\OLK1004a\outlook_admin.msp After updating the .msi file, you should redeploy the application, as shown in the slide. For more information, see Microsoft Knowledge Base article Q300551, “OL2002: Overview of the Outlook 2002 Public Update: October 4, 2001,” and Microsoft Knowledge Base article Q301348, “HOW TO: Install a Public Update to Administrative Installations of Office XP.”
SOFTWARE RESTRICTION POLICIES Chapter 9: MANAGING SOFTWARE SOFTWARE RESTRICTION POLICIES New in Windows Server 2003 Provides methods to control the use of software applications through Group Policy Can be used to restrict the use of any software Introduce Software Restriction Policies as a new feature for Windows Server 2003. This new feature can be used to control any applications that might be installed on the client computer, regardless of how those applications were installed.
CONFIGURATION OPTIONS Chapter 9: MANAGING SOFTWARE CONFIGURATION OPTIONS This animated slide illustrates the different configuration options that are available for Software Restriction Policies. The options are: Enforcement, Designated File Types, and Trusted Publishers. Discuss the options for each setting. For more information see “Software Restriction Policies” and “Additional Options” in the textbook.
Chapter 9: MANAGING SOFTWARE SECURITY LEVELS This animated slide shows that there are Software Restriction Policies available under both User Configuration and Computer Configuration. Computer Configuration is already expanded and active. The User Configuration Software Restriction Policies are activated during the animated presentation. The last two frames in this animated slide show the Security Settings and provide an opportunity to discuss the Security Level Default Setting options: Unrestricted or Disallowed.
ADDITIONAL RULES—HASH RULE Chapter 9: MANAGING SOFTWARE ADDITIONAL RULES—HASH RULE Briefly discuss the four types of additional rules. Then, move on to the hash rule. This animated slide demonstrates how to create a hash rule for the Netdiag tool. Mention these two limitations to hash rules: If the file is altered in any way, the rules in the Software Restriction Policy can be bypassed. Only file types listed in the Designated File Types list are affected by hash rules.
ADDITIONAL RULES—CERTIFICATE RULES Chapter 9: MANAGING SOFTWARE ADDITIONAL RULES—CERTIFICATE RULES This animated slide describes how certificate rules work. Mention the following limitations: Only file types listed in the Designated File Types list will be affected by certificate rules. For the certificate rule to function, you must enable the System Settings: Use Certificate Rules On Windows Executables for Software Restriction Policies located in \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Certificate rules do not apply to files with an extension of .exe or .dll. Instead, they can be applied to scripts and Windows Installer packages.
ADDITIONAL RULES—INTERNET ZONE RULES Chapter 9: MANAGING SOFTWARE ADDITIONAL RULES—INTERNET ZONE RULES This animated slide illustrates the creation of a single Internet Zone Rule, but provides the opportunity to discuss all types of Internet Zone Rules.
ADDITIONAL RULES—PATH RULES Chapter 9: MANAGING SOFTWARE ADDITIONAL RULES—PATH RULES This animated slide demonstrates the creation of a Path Rule that prevents users from running applications from the Support Tools folder. However, if the tools are moved or copied to another location, the users would again be able to use them. Mention the default Path Rules (Unrestricted) that appear under the Computer Configuration section of every GPO created by default, as shown in the last frame of this animated slide.
PRIORITY ORDER FOR MULTIPLE RULES Chapter 9: MANAGING SOFTWARE PRIORITY ORDER FOR MULTIPLE RULES Hash Rules Certificate Rules Internet Zone Rules Path Rules When multiple rules exist, they are applied in a hierarchical order. When there are conflicts between rules, the highest priority rule type takes precedence. The hierarchy is as shown in the slides. The hash rules have the highest priority and path rules have the lowest. If two rules at the same level are in conflict, the most restrictive rule takes priority.
IMPLEMENTING SOFTWARE RESTRICTION POLICIES Chapter 9: MANAGING SOFTWARE IMPLEMENTING SOFTWARE RESTRICTION POLICIES Use in conjunction with standard access control methods. Use the Disallowed By Default setting cautiously, because only approved applications run when it is enabled. Reboot in Safe mode to troubleshoot client-specific issues with Software Restriction Policies. Do not configure Software Restriction Policies on the Default Domain Policy. Instead, use a separate GPO so that you can easily remove them if necessary. Software Restriction Policies do not take effect in Safe mode, so you can use that for troubleshooting. The typical Group Policy administration advice applies double for Software Restriction Policies: Disable GPOs when you are working on them so partial changes are not applied to your client computers. Always test settings before applying them to your production clients and servers.
Chapter 9: MANAGING SOFTWARE CHAPTER SUMMARY GPOs can be used to deploy, maintain, and remove software. Typical Windows Installer file types are .msi, .mst, and .msp. How are they used? What are .zap files? What is a limitation of their deployment? What software deployment option is available for computers? Users? What are the four Software Restriction Policy additional rule types? What is their hierarchy of priority?
Chapter 9: MANAGING SOFTWARE REVIEW .msi (used when deploying applications), .mst (transforming and modifying msi files), and .msp (patching and repairing issues with .msi packaged applications). .zap files are used for non-Windows Installer distributions. They can be published but not assigned. Software can be assigned to computers. Software can be either assigned or published to users. Software Restriction Policy additional rule types include Hash Rules, Certificate Rules, Internet Zone Rules, and Path Rules. These rules are listed in priority order. Hash rules have the highest priority. Answers to the questions in the summary slide