Performing Software Installation with Group Policy Lesson 9

Skills Matrix Technology Skill Objective Domain Objective # Managing Software Through Group Policy Configure software deployment GPOs 4.5 Skills Matrix

Software Life Cycle Lesson 9 Planning Implementation Maintenance Removal Lesson 9

Configuring Software Installation Defaults Open the Group Policy Management Editor window for an existing GPO. Expand the User Configuration or the Computer Configuration node, followed by Software Settings. Right-click the appropriate Software Installation node, and then click Properties. Lesson 9 4

Configuring Software Installation Defaults (cont.) In the General tab of the Software Installation Properties dialog box, key the Uniform Naming Convention (UNC) path (\\servername\ sharename) to the software distribution point for the Windows Installer packages (.msi files) in the GPO in the Default Package Location box. In the New Packages section on the General tab, select one of the options listed. Lesson 9 5

Configuring Software Installation Defaults (cont.) In the Installation User Interface Options section, select one of the options listed. Click the Advanced tab, and select any of the listed options to apply the options to all packages in the GPO. Lesson 9 6

Configuring Software Installation Defaults (cont.) In the Application Precedence list box, move the application with the highest precedence to the top of the list using the Up or Down buttons. Click the Categories tab, and then click Add. Lesson 9 7

Configuring Software Installation Defaults (cont.) Key the name of the application category to be used for the domain in the Category box, and click OK. Click OK to save your changes. Lesson 9 8

Creating a New Software Installation Package Open the Group Policy Management Editor for the GPO you wish to configure. In the Computer Configuration or User Configuration node, drill down to Software Settings. Right-click the Software Installation node, select New, and then click Package. Lesson 9 9

Creating a New Software Installation Package (cont.) In the File Name list, key the UNC path to the software distribution point for the Windows Installer packages (.msi files), and then click Open. Lesson 9 10

Creating a New Software Installation Package (cont.) Select one of the options listed. If you selected Published or Assigned, the Windows Installer package has been successfully added to the GPO and appears in the Details pane. Lesson 9 11

Creating a New Software Installation Package (cont.) If you selected Advanced, the Properties dialog box for the Windows Installer package opens to permit you to set properties for the Windows Installer package, including deployment options and modifications. Make the necessary modification, and click OK. Lesson 9 12

Configuring Software Restriction Policies Unrestricted Disallowed Basic User Lesson 9 13

Modifying the Default Security Level In the Group Policy Management Editor window for the desired policy, expand the Software Restriction Policies node from either the Computer Configuration\Windows Settings\ Security Settings or User Configuration\Windows Settings\Security Settings node. If a software restriction policy is not already defined, right-click Software Restriction Policies, and select New Software Restriction Policies. Lesson 9 14

Modifying the Default Security Level (cont.) In the details pane, double-click Security Levels. Right-click the security level that you want to set as the default, and then click Set As Default. Lesson 9 15

Configuring Software Restriction Rules Hash rule Certificate rule Path rule Network zone rule Lesson 9 16

You Learned Group Policy can be used to deploy new software on your network and remove or repair software originally deployed by a GPO from your network. This functionality is provided by the Windows Installer service within the Software Installation extension of either the User Configuration\Software Settings or Computer Configuration\Software Settings node. Lesson 9

You Learned (cont.) Lesson 9 Three types of package files are used with the Windows Installer service: .msi files for standard software installation, .mst files for customized software installation, and .msp files for patching .msi files at the time of deployment. All pertinent files must reside in the same file system directory. Lesson 9

You Learned (cont.) Lesson 9 A .zap file can be written to allow non– Windows Installer–compliant applications to be deployed. A .zap file does not support automatic repair, customized installations, or automatic software removal. In addition, these files must be published. Lesson 9

You Learned (cont.) Lesson 9 A shared folder named a software distribution point must be created to store application installation and package files that are to be deployed using Group Policy. Users must have the NTFS Read permission to this folder for software installation policies to function. Lesson 9 20

You Learned (cont.) Lesson 9 Software to be deployed using Group Policy can either be Assigned or Published. Assigning software using the User Configuration node of a Group Policy allows the application to be installed when the user accesses the program using the Start menu or an associated file. Assigning software can also be performed using the Computer Configuration node of a Group Policy, which forces the application to be installed during computer startup. Lesson 9 21

You Learned (cont.) Lesson 9 Publishing an application allows the application to be available through Add Or Remove Programs in Control Panel. In addition, published applications can be divided into domain-wide software categories for ease of use. Lesson 9 22

You Learned (cont.) Lesson 9 Software restriction policies were introduced in Windows Server 2003 and allow the software's executable code to be identified and either allowed or disallowed on the network. Lesson 9 23

You Learned (cont.) Lesson 9 The three Default Security Levels within Software Restriction Policies are Unrestricted, which means all applications function based on user permissions; Disallowed, which means all applications are denied execution regardless of the user permissions; and Basic User, which allows only executables to be run that can be run by normal users. Lesson 9 24

You Learned (cont.) Lesson 9 Four rule types can be defined within a Software Restriction Policy. They include, in order of precedence, hash, certificate, network zone, and path rules. The security level set on a specific rule supersedes the Default Security Level of the policy. Lesson 9 25

You Learned (cont.) Lesson 9 Enforcement properties within Software Restriction Policies allow the administrator to control users affected by the policy. Administrators can be excluded from the policy application so that it does not hamper their administrative capabilities. Lesson 9 26

You Learned (cont.) Lesson 9 Certificate rules require enabling the System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies located in Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options. Lesson 9 27

You Learned (cont.) Lesson 9 Path rules can point to either a file system directory location or a registry path location. The registry path location is the more secure option of the two choices because the registry key location changes automatically if the software is reinstalled. In contrast, if a file system directory is blocked for executables, the program can still run from an alternate location if it is moved or copied there, allowing the possibility of a security breach. Lesson 9 28