about me about this session agenda computer user
TRANSCRIPT
Software deployments: From GPO to Configuration ManagerMikko JärvinenSystems AdministratorUniversity of Turku
UD-B323
About me• Desktop services team
leader at IT Management of the University of Turku, Finland
• OS and software deployments, print services, msi repackaging, general sysadmin stuff
• Twitter: @mikko_jarvinen
About University of Turku• 7 faculties• 3500 FTE employees• 21000 students• 5000+ workstations• 400+ servers• Mixed and diverse
environment• Centralized IT
About this session• Tweet: #MMSUDB323• Based on a true story• We migrated software
deployments from group policy software installations to Configuration Manager 2007
• In this session we will also focus on 2012 Configuration Manager (SP1)
• How could application model help us?
• Scripts available at myITforum.com
AgendaPart 1Group policy software installations explainedGetting familiar with features in and differences between group policy software installations and Configuration Manager software deployments
Part 2Moving group policy based published per-user installations to Configuration Manager
Part 3Moving group policy based assigned per-machine installations to Configuration Manager
Part 1: Group policy software installations
Demo: Group policy software installations
Group policy software installations explained
Computer User
Group policy software installations vs.Configuration Manager
Group policy vs. Configuration ManagerGroup policy software installations
Configuration Manager
Group policy software installations client side extension
ConfigMgr Client → ConfigMgr Software Distribution Agent (ccmexec.exe)
Msi package (or .zap file) Any command line
Install and uninstall out of the box Package model: install and uninstall separateApplication model: installation program required, uninstall program recommended
Writes Event ID's, but no centralized reporting
Extensive and exhaustive reports and logging
Group policy vs. Configuration ManagerGroup policy software installations
Configuration Manager
Based on active directory and organizational units
Collections and databaseInformation can be read from AD
Targeting using organizational units
Targeting using collections
Additional targeting using group policy security filtering
Queries, direct membershipApplication Model: requirements
Msi package → assign/publish Package model: Package → Program → AdvertisementApplication model: deployment types
Group policy vs. Configuration ManagerGroup policy software installations
Configuration Manager
If msi package and targeted computer are ok, everything just works (or that's what we think)
Whether software distribution action was successful or not we get the information.Return codes are important!
Sequencing possible using "GPO Link Order"Package installation order within the same GPO is assumed to be random
Package model: "Run another program first"Task SequencesApplication Model: requirements, dependencies
Makes sure the client computer is in the state that msi package defines
Makes sure the command line will be run on client - eventually
Group policy vs. Configuration ManagerGroup policy software installations
Configuration Manager
No scheduling options Deployments can be scheduled
DFS root → DFS share → directory → msi package (Install source)
Package Source Files → Distribution Point → ConfigMgr cache
Install source is immutable ConfigMgr Windows Installer Source List Management
Group policy software installations
Group policyInformation about software installation is in active directory and group policy objectGroup policies normal separation to computer configration and user configuration applies as well with software installationsClient computer processes group policies and gets the information about software installations
Client-side extensionGroup policy software installations client side extension commands Windows installer based on the information it has received after group policies have applied
Windows installerWindows installer operates with the msi package
Group policy software installations
Stateful technologies by designGroup policy software installations is stateful and relies on the information defined in group policy objectWindows installer is stateful and relies on the information defined in the msi package
Extremely stateful togetherGroup policy software installations client-side extension enforces msi package self-healing which will restore the state of the installations!These are very powerful but problematic technologiesThe quality of the msi package is very important
Domain
Group policy software installations
ClientGPO Software Installations
Client Side Extension
Windows Installer
Msi package
GPO
Computer
User
Group policy software installations
Three main operating modes1. Assigned to Computers2. Assigned to Users
• Advertise (create shortcuts only)• Install at logon
3. Published to Users
Group policy software installations
Auto-installDeployment option "Auto-install this application by file extension activation"File type associations are extracted from msi package's Verb TableGroup policy client side extension knows the associationsIf a user tries to open a file type which is known by "auto-install" the associated program will be installed automaticallyIf "Install a program from the network" has been hidden on client auto-install still works!
Windows installer install cache and install source
Windows installer install cache
Install cacheWindows installer saves an "inflated" version of msi package into Windows installer cacheInstall cache enables self-healing, uninstall, etc. without the need for original msi
Install cache location%systemroot%\InstallerCache is there for a reason - don't delete anything or otherwise mess with it!
Windows installer install source
Install sourceWindows installer saves the original path of the msi package in registryInstall source is the last resort if "inflated" msi package in Windows installer cache is not enough
True with poorly authored and bad msi packagesIf install source is needed but not accessible you are in trouble!
Configuration Manager Windows installer source location managerAlso known as 'Source update' or 'Installation source management'Source location manager tries to keep the install source available for the clientBased on msi package's product code
Windows installer install source
Install source locations• HKCR\Installer\Products\<product code>\SourceList\Net\<#>• HKCU\Software\Microsoft\Installer\Products\<product code>\SourceList\
Net\<#>• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<Product>\InstallSource• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\
<User-SID>\Products\<obfuscated product code>\InstallProperties\InstallSource
Msi package
Windows installer self-healing (self-repair)Windows installer checks for component keypaths but repairs the whole componentReference msi is in install cache
Component A (GUID A)
File 1Keypath for Component A
File 2
Component B (GUID B)
Registry Key 1Keypath for Component B
File 3
Windows installerC
heck
Repair
Chec
kRepair
Update, upgrade and replace
Update, upgrade and replace
There are three main methods to get a new software version deployed1. Update2. Upgrade3. Replace
Update, upgrade and replace
UpdateDeploy Windows installer patch (.msp) over existing installationGroup policy software installations has no support for deploying updates but you cannot safely update the installations on clients, either
If you update, client's state is different than the group policy software installation's opinion
To deploy a patched version you must first update administrative installation and then redeploy (or repackage)Configuration Manager: Run the command line to install the patch or utilize Software UpdatesNon-Windows installer technology updates or patching is a bit different story
Update, upgrade and replace
UpgradeFor upgrade to work, msi package must have the logic (Upgrade Code and Upgrade Table) to upgrade older versionsWindows installer takes care of the upgrade during the installation of a new versionGroup policy software installations "Package can upgrade over existing package"Some vendors don't support upgrades in their msi packages!
You must handle these situations carefully as a part of deployment
Non-Windows installer upgrades are a bit different story
Update, Upgrade and Replace
ReplaceComplete uninstall of old version, then install new versionGroup policy software installations "Uninstall the existing package, then install the upgrade package"Replacing is the safest way to install new versionsUninstall or install could still fail!
Windows installer rollback
Rollback returns the original stateBefore deleting a file Windows installer creates a temporary backup from itIf something goes horribly wrong Windows installer can stop the process and roll the system back to the initial stateRollback can happen during install or uninstall!
Undesirable rollbackMsi package defines the initial state of the computerPoorly authored msi package, especially custom actions, or messed up client may lead to unwanted rollbacks
It is possible to end up in a situation where software cannot be installed or uninstalled
Group policy software installations
Detecting the installationsTo avoid any damage we do not want to deploy a software using Configuration Manager on top of the group policy based installation
Group policy software installations extension and Windows installer self-healing will try to restore the state of the group policy based installation
We need to detect if the specific msi package has been installed on the computer by group policy software installations - either with "published to users" or "assigned to computer" method
The same msi package installed outside of the group policy software installations is not a problem
Installations can be detected using solely msi package's product code and the information can be found under HKLM hive in registryHowever, some programmed logic is required to detect published per-user installations
Group policy software installations
Detection method: assigned to computerHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\{guid}\
Where {guid} is the value of ObjectGUID attribute of the packageRegistration object inside the group policy object where the package has been defined in active directorydomain/System/Policies/{GPOguid}/Machine/Class Store/Packages/{aas-guid}
Group policy software installations
Detection method: published to usersHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\<domain-user-SID>\Installer\Products\{obfuscated-msi-product-code}\
Obfuscation:{01234567-89ab-cdef-0123-456789abcdef} product code will be in form{76543210-ba98-fedc-1032-547698badcfe}
Information about installation is stored in user's registry as wellHKCU\Software\Microsoft\InstallerHKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
Group policy software installations
Options to get away?Option 1: Forced uninstall
Removal option "Immediately uninstall the software from users and computers"Group policy software installations extension uninstalls the software at next possible moment after the group policies have been refreshedLeaves the (un)deployment "alive" in group policyIt is easy to force a restart for the computers but how do you force a re-logon to all users that have logged on to a computer and have per-user installations?
Option 2: Remove commitments Removal option "Allow users to continue to use the software, but prevent new installations"Software remains installed, but group policy software installations extension is no longer interested in the state of the installation on client computerYou will have to uninstall, upgrade or replace the software afterwards
Group policy software installations
Options to get away?Option 3: Uninstall without removal
Deployment option "Uninstall this software when it falls out of the scope of management"If you add this option, remember that clients must refresh the policies to receive the informationWhen group policy is no longer affecting the computer or user the software is considered to be "out of the scope of management"Group policy software installations extension uninstalls the software at next possible moment after the group policies have been refreshed
Option 4: Reinstall WindowsMake sure the group policies with installation are not affecting computer or user after the restart
Option 5: Application virtualizationVirtualized software will not change the state of the computer so you can deploy software on top of group policy software installations without breaking clientsYou can buy some time with this but the group policy based installations remain on the clients
Part 2: Migrating published per-user installations
Group policy vs. Configuration ManagerPublished installations
Group policy software installations
Configuration Manager
Publish to user Advertisement, non-mandatory to computer
Only domain accounts For all accounts (Domain, Local)
Installing account: user with elevated privileges
Installing account: Local System or the user logged on
No notifications about new software
Option for notifications about new software
Migrating published per-user installationsPublished per-user installation factsPublished software is installed only once per computerEach user must, however, initiate the "installation" to get per-user information (shortcuts, HKCU, etc.)Group policy software installations client side extension keeps track of users and installed programsGroup policy per-user installation can be uninstalled only by the user(s) and essential information is in user's registry
Software will be uninstalled when the "user count" hits zeroIf the user (account) no longer exists it is difficult to get software uninstalledIf you delete user's profile essential information will be lost
Per-user installation type is challenging when computer has more than one user!
Migrating published per-user installationsProsA great and an easy way to provide optional software for usersInstall, modify and uninstall for standard users (through elevation)24/7 software installation self-service portal built-in into Windows and Active Directory
ConsStrange mixup of per-machine and per-user installationsTied to domain user accountsPing-pong self-healing if two users have different version of the same software on the computer that cannot co-exist
Migrating published per-user installationsChallengeHow to provide about the same features and user experience with Configuration Manager as we had with published group policy based installations?
2012 Configuration Manager Application Catalog is definitely one way
How to prevent breaking existing per-user installations on clients?
SolutionPIPARI script
Pipari Implements Prerequisite Analyzer and Runs Installations
Migrating published per-user installationsPIPARI is a Visual Basic script which• Will be used as an wrapper script for the installation• Detects blocking group policy based per-machine installations• Detects blocking group policy based per-user installations• Detects blocking running processes • Provides uninstall or modify feature if program has already been
installed• Informs the user when installation is finished• Can provide merciful reboot option• Works with all x86/x64-combinations of installer and environment• Returns valid return codes
Pipari script explained
Pipari script explained
Start
BlockingPer-Machineinstallations?
BlockingPer-User
installations?
Notify userNotify user
Blockingprocessrunning?
Notify user,try again?
No
Yes
No
Yes
No
Yes
No
Yes
Quit: -1(per-
machine)
Quit: -2(per-user)
Quit: -3(blocking process)
A
Programalready
installed?
Installprogram?
Notify user: installation
finished
Run uninstallcommand
Quit: Return Code from uninstall
command
Rebootneeded?
No
Yes
Yes
NoYes
NoYes
Programalready
installed?
No
Quit: 0(no
changes)
No
Quit: -4(user gave
up)
Yes
Run installcommand
Quit: Return Code from install command
Schedule reboot in 60
seconds
Notify user: reboot is needed
A
Uninstallprogram?
Wait of 'OK'
Demo: Pipari script
Part 3: Migrating assigned per-machine installations
Group policy vs. Configuration ManagerPer-machine installations
Group policy software Installations
Configuration Manager
Install during startup (boot)"Installing Managed Application..."
Install at any time (except during startup)Whether user is logged on or not
Uninstall during startup (boot) Uninstall at any time (except during startup)
Installing account: Local System Installing account: Local System (Run with administrative rights) or any other account
Migrating assigned per-machine installationsAssigned per-machine installation factsGroup policy software installation type "Assigned to computer" installs and uninstalls programs at computer startup
"Installing Managed Software..."
Group policy software installations extension and Windows installer will make sure that the programs are installed as they are defined in group policies and msi packagePer-machine (assigned to computer) installation type is quite inflexible and exceptions need extra work
Migrating assigned per-machine installationsMigration starting pointAlmost 100 "Install Program X" group policy objects to install software"Install Program X" GPO's are linked to OU's with strictly managed computers
Mostly computer labs and other shared computers
Permission to link group policy objects delegated to helpdesk groups to different organizational units
Easy and simple way to install programsSoftware installations can be managed only on the computers you have given the permission forSoftware will be kept up to date by IT Services
Migrating assigned per-machine installationsChallengeHow to tie up GPO's and Configuration Manager collections?How to make sure we are not messing up group policy based per-machine or per-user installations?How to prevent unnecessary ovelapping management?
Active directory OU structure and Configuration Manager collections
SolutionKEKSI script
Keksi is an Enhancement Kludge for Software Installations
Migrating assigned per-machine installationsKeksi is a Visual Basic script which• Is defined as a startup script in "Install Program X" group policy object• Does nothing if certain group policy per-machine or per-user
installations are found• Checks are based on a msi package's Product Code• returns a dedicated return codes for reporting
• Adds a new installed pseudo-program "GPOInstall Program X" into registry under HKLM\SOFTWARE\[Wow6432Node\]Microsoft\Windows\CurrentVersion\Uninstall
Domain
Keksi
Computer
HKLM\SOFTWARE\[Wow6432Node\]Microsoft\Windows\CurrentVersion\Uninstall\GPOInstall Adobe Reader\DisplayName="GPOInstall Adobe Reader"
GPO: "Install Adobe Reader"Startup script: "\\server\share\keksi-adobereader.vbs"
ConfigurationManagerConfiguration
Managerclient
Hardware inventory cycleAdd/Remove Programs"GPOInstall Adobe Reader"
Computer
Collection"GPO: Install Adobe Reader"QueryAdd/Remove Programs Display Name = GPOInstall Adobe Reader
Install or upgradeAdobe Reader
1
2
3
45
Demo: Keksi script
Final thoughts
• Know your environment and deployment tools• Test every installation and uninstall using the
deployment solution and with all client versions• If you have group policy based software
installations in place be sure not to break them• Be careful with scripts some random guy has made• Never underestimate the power of the software
vendor to build the most unimaginable solutions in their software and installers
Links, references and resourcesGroup Policy Infrastructurehttp://technet.microsoft.com/en-us/library/dd379467.aspxGroup Policy Software Installationhttp://technet.microsoft.com/en-us/library/cc738151.aspxMissing Windows Installer Cache Files Will Require a Computer Rebuildhttp://support.microsoft.com/kb/2667628About Windows Installer Source Location Managerhttp://technet.microsoft.com/en-us/library/bb892810.aspxRollback Installationhttp://msdn.microsoft.com/en-us/library/windows/desktop/aa371370.aspxSoftware Installation and Maintenancehttp://technet.microsoft.com/en-us/library/bb742420.aspxHow To Patch a Software Installation Stored on a Network Server That Is Deployed Using Microsoft Software Installerhttp://support.microsoft.com/kb/226936
Thank you!
Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
We want to hear from you!
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.