Group Policy Software Deployment Extraction to Installation

Courtesy of – Joseph Moody

When you have a large number of PCs in the domain on which to deploy software, based on the role of the user within the organization, and you haven’t a large budget, then Group Policy Software Installation is a good and simple way to do it.

Being able to deploy and manage software is a critical skill for any administrator. After all, who wants to install software manually! This article will walk through each step of this process, from extraction through installation, by using Group Policy.

To Use or Not to Use?

The pace of technology has always amazed me. No matter the tool or technology, we are still solving the same core problems. One main issue has always been connecting people to the software they need. Methods of accomplishing this vary from basic batch files with limited functionality to complex software management systems with mountains of features. Sitting right in the middle of this range is Group Policy Software Installation (GPSI).

GPSI is made simple by being natively available in any Active Directory Domain Services environment, which means no additional server components are required. A Domain Controller paired (or combDeplined) with a File Server constitute the only requirement. Because the Group Policy service handles the client side, your users and computers do not require anything extra.

Simple in nature, GPSI does lack certain features found in dedicated software management systems (such as System Center Configuration Manager). First, GPSI does not have a central reporting component. The logs, though detailed, are stored on clients. Also, GPSI can only deploy two file types (MSI and ZAP). Finally, installation requires either a logoff or restart; it is a foreground only installation system.

If your organization needs a solid (but free) way to manage software, GPSI is the way to go. If you want to ensure certain software are available immediately on new domain machines, GPSI accomplishes that perfectly as Group Policy processes on first boot. Because it is built on top of Active Directory, you can use it to manage some or all of your software needs. Likely, you can take advantage of GPSI in some way.


A majority of enterprise software comes in a MSI format that is wrapped inside of an executable. Most of the time, the trick is getting that MSI out. The first step is to determine if the application actually contains an MSI. This is easily accomplished by launching task manager and running the executable. If the application contains an MSI, task manager will show the Windows installer process (MSIEXEC).

Task Manager showing the Windows Installers

From the picture above, we know that our software contains an MSI. Let’s get it out now. Method 1 of doing this is opening the EXE as an archive. Using a file compression program, we can attempt to open the EXE like a compressed folder. My favorite program for this is 7Zip. In the example below, I was able to open the iTunes setup executable by righting clicking on it and selecting Open Archive. As you can see, MSI galore!

Using 7Zip get a list of the MSIs in an executable

Every MSI registers itself with your computer. Knowing this, you can use this information as your second method of retrieving the file. Open up REGEDIT and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products. Search for the name of the application and expand the source list key. Copy the contents of the LastUsedSource entry and open that folder on a local machine. With any luck, your MSI should reside there.

The results when searching for PackageName

If your MSI is not there, you can also search a local computer for the PackageName value. Be sure to enable hidden and protected files before searching.

If your MSI is still missing, head on over to (formally Likely, someone has found it and posted tips on getting it. Just search for your application (without a version number) to find helpful hints.


But what if your software isn’t an MSI? Check with the manufacturer first – it is not uncommon for one to be provided at request. If you are still stuck with an executable, it is time to repackage it to a GPSI friendly format!

Repackaging is the art of taking the entire executable (or the installed components of the software) and embedding it into an MSI. There are two schools of thought on doing this:

  1. Wrapping the EXE into an empty MSI. The MSI essentially calls the EXE and runs the application silently.
  2. Capturing all new files/registry keys that a particular software installs. Once captured, these settings are stored within an MSI for installation.

If given the choice, I prefer method 2 for repackaging. When using method 1, you are limited to software that can be installed with silent commands (/q, /silent, etc). Normally, software without an MSI lack other standard features such as these commands. Method 1 also prevents you from easily editing the MSI. By capturing an installation into an MSI, you can simply remove files (like a desktop shortcut) that you do not want in the final package.

Capturing an installation is fairly simple. With a clean machine, use a repackaging tool to look at the difference between a before snapshot and after (the installation) snapshot. My favorite tool for doing this is WinInstall LE (free edition). While you can certainly purchase heavy duty repacking programs, I have yet to find a software that couldn’t be repackaged with the free edition.

Editing the MSI

In all likelihood, your extracted MSI will need to be customized for your organization or edited for deployment. By editing an MSI, you can:

  • Remove unnecessary files/registry entries
  • Disable automatic updating
  • Alter Launch Conditions (such as minimum Hardware, Software, or Operating System requirements)

To edit an MSI, download Orca from Microsoft Support. After installation, you can right click on any MSI and view it as a simple database.

Editing an MSI through the Orca interface

From here, specific attributes of the MSI can be modified or removed. In the picture above, we are looking at the Shortcut table. By deleting any entry in this table, we can remove a shortcut. Two other common tables are the LaunchCondition and Property tables. The LaunchCondition table contains restrictions on the MSI execution. As an example, this table would limit execution of the MSI to Windows 7 and below. The Property table contains options for the MSI installation. If a software requires a serial number to install, you can probably paste that value into the serial number entry under the Property table.

As a best practice, avoid editing MSIs directly. By using Orca, you can select Transform and then Generate Transform. This will create an MST file that will apply your changes (without directly making edits).

Saving to Share

Once edited, the next step is to save your MSI to a network share. When we create our Group Policy Object (GPO) for deployment, this share will be our distribution point. Because you will likely store all of your deployed software in a central location, it is best to configure you Share/Folder permissions in a way that supports multiple deployment types.

Generally, your share name should be something simple and short (ex: \\SERVER\MSI or \\SERVER\APPS). If you prefer a little more obsecurity (i.e. Security through Obscurity), it is perfectly fine to hide the Share with a $ value.

For your share permissions, it is acceptable to give Everyone Full Control or to give Authenticated Users Read permission and Administrators Full Control. For the folder permissions, give Authenticated Users Read/Execute and Administrators Full Control. Remember that Authenticated Users includes both Domain Computers and Domain Users. Finally, create specific folders for each manufacturer or piece of software. In the picture below, you can see a sample hierarchy organization.

A simple folder hierarchy

Creating the GPO

Now that the MSI is on the network, let’s link it to a GPO. Create a new unlinked GPO. As a best practice, give the GPO a specific name (usually with a related starting prefix). In our environment, all deployment GPOs start with “APP_”. This allows for easy filtering, sorting, and scripting.

Now decide whether to install the software to the computer or link it to a user. Generally, if the software is static (used consistently at one or many locations), large, or requires regular updates – deploy it on the computer side. If the software is small and used by specific users, deploy it on the user side.

In this example, we are going to create a GPO named APP_7Zip and we will create a corresponding security group named after the GPO. We will then edit the Scope options on the GPO to remove Authenticated Users and to add in our new security group. If you plan on deploying a lot of software, it is best to store these groups in a central location such as a top level OU or physical site level/department OU.

As a general recommendation, avoid extremely detailed GPO and Security Group names (ex: APP-7Zip_v9.00.1.2). Version information, language, and OS type can all be found (or commented) within the GPO itself. Using a general name will keep you from constantly renaming policies.

Edit the GPO. We are going to deploy this MSI to the computer side so we will navigate to Computer Configuration\Policies\Software Settings\Software Installation within the Group Policy Management Console.

Right-click on Software installation in the explorer window

Right click on Software installation and select New Package. Browse to the UNC where you stored the MSI.

Open the file and choose Advanced option, and the Deployment Tab

After selecting Open, choose the Advanced Option and press Ok. Select the Deployment Tab and then Advanced. Check “Ignore language when deploying this package”. This will ensure that if an MSI doesn’t have a language set, deployment will still continue. If you created an MST with ORCA, select the Modifications tab and add the MST. Press OK, make any other changes needed to your GPO, and link it to an OU. Be sure to add any computers to the software security group. Finally, restart the computer twice. After two restarts, your software will install!

The installing message

But What if it Doesn’t?

Like anything made by man, GPSI can break. Most of the time, it is a pretty easy fix though. Below are the troubleshooting steps I take when faced with an installation problem.

  • Does the MSI install normally if I run it on a computer? If it won’t install this way, I know Group Policy isn’t at fault.
  • Can you run the MSI silently? EX: msiexec /I MSI-FILE.msi /qb. If the file can’t install silently, I know Group Policy isn’t at fault.
  • Am I deploying the MSI to the correct object (user or computer)? Some MSIs can’t install to a user and some only want to be installed to a user.
  • Do I see any errors in the event log under application?
  • Is the policy being applied correctly? Running GPRESULT /h Report.htm /f will generate a detailed Group Policy Result.

MAC Book Pro–Speed Up Time Taken To Sleep When You Close The Lid


I recommend a nifty little utility called SmartSleep that allows you to control when the saving of your RAM contents to disk for the Safe Sleep / Hibernate feature Mac OS X has.

Alternatively you can disable Safe Sleep altogether by running:

sudo pmset -a hibernatemode 0

To change it back to the defaults, change the value to 3.

0 - Old style - just goes to sleep.
1 - Only Hibernate
3 - Default - goes to sleep but writes RAM contents to disk just in case.
5 - Only Hibernate mode but if you use secure virtual memory.
7 - The Default but if you use secure virtual memory.

New OWA for iPhone and OWA for iPad apps released


The Exchange Team released two new apps in the Apple App Store today, the OWA for iPhone and OWA for iPad.  These apps currently only work for Office 365 customers, but on-premise versions are in the works.

The apps provide a familiar OWA-like GUI for email and calendaring to Office 365. 

Other features that these apps provide include:

  • Stored credentials so you are automatically logged into the app 
  • Push notifications that actively notify you of new email 
  • Meeting reminders that pop up even when the app is closed 
  • Voice activated actions like scheduling a meeting or sending email 
  • Contact sync so that OWA contacts are recognized by the iPhone’s caller ID function 
  • Remote wipe capability that allows IT to delete email and calendar data in the app from the device in the event that the device gets lost or the user leaves the organization

Here are a couple more screenshots:

Read more about the new apps on the EHLO blog and the Office 365 Technology Blog.

Moving Veeam Backup Data To A New Backup Repository


We are going to move the backup data to a different repository keeping the original backup job intact


Open Veeam
In the panel on the left goto
  ¬ Disk
Now in the right hand side panel find the job you wish to move, right click on it and select
Remove from backups
DO NOT Select Remove from Drive, this will delete your back up 


Now in your OS Browse to where you backup files are stored
Im going to move the Files from one Nas Drive to another as my Original Nas is nearly full
Select the file backup you wish to move and highlight it, hold down the right mouse button and drag it to the new Nas drive, release the button and select move here.
This will copy at the files and keep them intact for later.


Head back over to Veeam
And from the Bottom Menu select Backup Infrastructure
And highlight Backup Repositories from the list above, now on the right you will see your Nas drives
I have moved my backup from VMBackupNas to VMBackupNas2
So i need to select VMBackupNas2 and right click on it, and select Rescan repository


I have moved my backup from VMBackupNas to VMBackupNas2
So i need to select VMBackupNas2 and right click on it, and select Rescan repository
You should see it start scanning like the image to the left
We now need to tell veeam where to find the backup files we have moved, so that our backup jobs will continue as normal but the actual data has moved.


Select Backup and Replication from the bottom menu and then select and edit the job.
Go through as if your going to recreate the job until you reach Storage.
We want to change the Backup Repository so select the repository where you have move the data to, in my case VMBackupNas2.
You will see Map Backup highlighted in blue, click on it and select the backup.
This is very important as Veeam will not see where the old files are unless you complete this step.
If you did not do this it would create a whole new folder to store the backup files.
click next a few time and then finish.

Windows Server 2008 & 2012 Export & Import GPO Using Powershell


There may be times when it is useful to use an existing Group Policy Object (GPO) as a template for a GPO on another server, or perhaps you just need to perform a GPO backup and restore. Here is how to export and import GPOs from the command line.


Starting the Group Policy Cmdlet in Powershell

Firstly, from the command line start powershell and import the Group Policy Cmdlet:


import-module grouppolicy


Exporting a GPO

Check that the backup directory you wish to use exists. If not, create it.

Powershell command:

Backup-GPO -Name -Path

Example: to backup a GPO called “Example GPO” to the directory “C:\GPOBackup”

Backup-GPO -Name "Example GPO" -Path "C:\GPOBackup"


Importing a GPO

Keeping the same GPO Name

Powershell command:

Import-GPO -BackupGPOName -CreateIfNeeded -Path

Example: to import a GPO called “Example GPO” from the directory “C:\GPOBackup”

Import-GPO -BackupGPOName "Example GPO" -CreateIfNeeded -Path "C:\GPOBackup"

Renaming the GPO

Powershell command:

Import-GPO -BackupGPOName -TargetName -CreateIfNeeded -Path

Example: to import a GPO called “Example GPO”, renaming it to “New GPO”, from the directory “C:\GPOBackup”

Import-GPO -BackupGPOName "Example GPO" -TargetName "New GPO" -CreateIfNeeded -Path "C:\GPOBackup"

How To Activate Windows Server 2012


1, Open a command prompt with elevated rights

* Hover mouse in the bottom left hand corner to get the start icon or use ctrl+esc or windows key / command key.
* Right click anywhere on blank space in the start launch or ctrl+tab.
* From the Apps launch start typing “CMD” then right click or arrow key til highlighted and alt+spacebar to get the options to run as administrator.

2, Type the following command to register key

“slmgr.vbs /ipk {product key, including dashes}”
hit enter

Below is a Video showing you what you need to do: