After you create an assigned or published software package, you can modify the package properties using the advanced software installation options. These options are also available if you choose Advanced as the package option in the Deploy Software dialog box. You can use these options to:
View or set the general deployment properties
Change the deployment type and installation options
Define application categories for easier management when you have many deployed applications
Specify that the package represent an upgrade of a previously deployed application
Define the transform files that you want to use to customize the installation
Control deployment of an application by security group
Another set of related options are the global software installation options, which you can use to set global options for Software Installation policy.
A software package’s general deployment properties are primarily for information purposes only and include:
Name. The name of the package as it appears to the user (within Add/Remove Programs). This name comes from the ProductName property in a .msi file or the FriendlyName property in a .zap file. The name can be modified using the general options.
Product Information. The version, publisher, language, and platform details from the package file. In a .zap file, version and publisher are set with the DisplayVersion and Publisher properties, respectively. Once the product information is set, it cannot be modified.
Support Information. The contact name, phone number, and URL of the software manufacturer. In a .zap file, the URL is set with the URL property. The URL can be modified using the general options.
You can view and set the general options for a software package by completing the following steps:
Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation or User ConfigurationSoftware SettingsSoftware Installation as appropriate for the type of package you want to work with.
A list of defined packages should be listed in the right pane. Right-click the package you want to work with, and select Properties.
Name, product information, and support information details are provided on the General tab, as shown in Figure 9-4.
During the package creation process, you can set only the basic options that control whether an application should be published or assigned. Because you’ll often need to fine-tune the configuration, you should always review the deployment type and installation options in the software package’s Properties dialog box and make any necessary changes. To do this, follow these steps:
Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation or User ConfigurationSoftware SettingsSoftware Installation as appropriate for the type of package you want to work with.
Right-click the package you want to work with, and select Properties. Select the Deployment tab, as shown in Figure 9-5.
On the Deployment tab, you can choose whether to publish or assign the application. Based on that choice, other options become available or unavailable. The Deployment options you can choose from are:
Auto-Install This Application By File Extension Activation. Advertises any file extensions associated with this package for install-on-first-use deployment. This option is selected by default and is not modifiable when you assign a package to a user. With a published application that normally requires the user to explicitly install the application through Add/Remove Programs, enabling this option provides assignment features for file extensions associated with the application.
Uninstall This Application When It Falls Out Of The Scope Of Management. Removes the application if it no longer applies to the user. An application falls out of scope when the GPO that has deployed it is no longer processed by the user or computer. If an application falls out of scope and this option is selected, the application is uninstalled during the next foreground (user logon or computer restart) processing cycle.
Note
An application can fall out of scope for three general reasons: a user or computer object moves to a new location within the Active Directory hierarchy where the GPO no longer applies, a GPO is disabled or deleted from the current scope of management, or the GPO’s security filtering is changed such that the user or computer no longer process that GPO.
Do Not Display This Package In The Add/Remove Programs Control Panel. Prevents the application from appearing in Add/Remove Programs. This option can be useful if you want to prevent a user who has administrative access over his own machine from manually removing the policy-deployed application.
Install This Application At Logon. Configures full installation, rather than advertisement, of an application at user logon. This option is cleared by default and is not modifiable when you publish a package for users.
Installation User Interface Options settings let you define whether the user sees all messages during the application installation. With the default setting, Maximum, the user sees all setup screens and messages. With the Basic option, the user sees only error and completion messages. Some applications require you to choose the Basic option when the user initiates the installation because the user has insufficient privileges to make setup choices during the installation.
If you click Advanced, you get the Advanced Deployment Options dialog box (Figure 9-6), which has the following options:
Ignore Language When Deploying This Package. Applies when the user is running one language version of Windows and is trying to install a different language version of an application. Normally this fails, but if you select this option, the application is installed anyway.
Make This 32-Bit X86 Application Available To IA64 Machines. Allows you to deploy 32-bit x86 applications on 64-bit Windows versions using Intel IA-64 chip architecture. This option applies to applications installed with either .msi or .zap installer files.
Include OLE Class And Product Information. Allows you to include COM registration information within Active Directory. If you choose this option, COM advertisements that are part of the application package are stored within the Active Directory Class Store, which is part of the GPC related to Software Installation policy. Because the number of advertised COM components within a large package can be significant, choose this option only if you absolutely need to use COM advertisements with your deployment. See Chapter 12 for more information on the Class Store.
Tip
The Advanced Software Deployment Options dialog box also provides some useful diagnostic information for the package. The first value provided is the Windows Installer product code, which Software Installation policy uses as a key to determine whether an application has already been installed on a computer. The next value is the deployment count, which is the number of times the application has been redeployed. Finally, the path to the application assignment script is shown. This file is stored within the GPT portion of the GPO and holds information related to the package path and any advertisements that have been made.
In a large enterprise, when you use Software Installation policy to deploy many applications, you might want to define application categories to help organize the list of available applications in the Add Or Remove Programs utility. If you don’t create categories and dozens of applications are available, users see the entire list of available applications, and this long list can be confusing. To help reduce confusion, you might want to define application categories, such as Sales Applications, Engineering Applications, Marketing Applications, Administrative Applications, and General Use Applications.
Once you define the categories, they are listed in the Add Or Remove Programs dialog box (Figure 9-7). Creating and defining categories is a fairly straightforward process. First you define your application categories using the global software installation defaults, which we discuss in "Setting Global Deployment Defaults." Then you add an application to a category using Categories tab options in the related Properties dialog box.
Application categories are defined using the global Software Installation defaults. To define application categories, follow these steps:
Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation.
Right-click Software Installation and choose Properties.
Select the Categories tab in the Software Installation Properties dialog box, as shown in Figure 9-8.
To define a new application category, click Add, type the name of the application category, and then click OK.
To modify an existing application category, select the category to modify and then click Modify. After you change the category name, click OK.
To remove an application category, select the category and then click Remove.
Once you’ve defined the categories you want to use in global defaults, you can add applications to these categories. To add an application to a category, follow these steps:
Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation or User ConfigurationSoftware SettingsSoftware Installation as appropriate for the type of package you want to work with.
Right-click the package you want to work with, and select Properties. Select the Categories tab.
Select a category under Available Categories and then click Select to select and list the application. If the application should be listed under additional categories, repeat this step.
Click OK.
As discussed previously, Software Installation policy provides upgrade paths for applications when you use Windows Installer packages. There are two general types of upgrades:
Upgrades to perform a patch or install a service pack
Upgrades to deploy a new version of an application
The sections that follow discuss both types of upgrades. Keep in mind that you should thoroughly test any upgrade before deploying it. You should check to make sure the upgrade doesn’t cause conflicts or other problems with existing applications that are deployed. You should also test the upgrade process to make sure it works as expected. If you don’t test, you might, for example, find that you have compatibility problems or that you haven’t included all the necessary files for the upgrade.
To patch or apply a service pack on a previously deployed application, you complete the following steps:
Obtain a .msi file or .msp (patch) file for the application. The software manufacturer should provide this. If not, you must create your own, as discussed in the "Getting the Necessary Windows Installer File" section in this chapter.
Copy the .msi or .msp file and any new installation files to the folder containing the original .msi file. Overwrite any duplicate files if necessary.
Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation or User ConfigurationSoftware SettingsSoftware Installation as appropriate for the type of package you want to work with.
Redeploy the application. Right-click the related package and then select All Tasks, Redeploy Application.
The application is redeployed to all users and computers as appropriate for the GPO you are working with. For more information on how redeployment works, see the "Redeploying Applications" section in this chapter. Keep in mind that only applications that have Windows Installer files can be upgraded in this way. If your application uses a .zap file instead, you need to complete the following steps:
Remove the existing application (as described in the "Removing Deployed Applications" section in this chapter).
Create a completely new package for the application (as described in the "Creating the ZAP File" section in this chapter).
Deploy the new package (as described in the "Deploying the Software Using a ZAP File" section in this chapter).
In a software package’s Properties dialog box, you can establish or verify upgrade relationships between the application you are deploying and previously deployed applications. This feature allows you to perform enforced upgrades of previously installed applications. For example, if you previously published Office XP, you can deploy Office 2003 and create an upgrade relationship between the Office XP deployment and the Office 2003 deployment. Any users or computers with Office XP automatically get Office 2003 installed during the next foreground policy processing cycle.
Tip
If you deploy two applications within a single GPO that have identical Windows Installer product code SKU numbers (the third and fourth digits in the product code), the second application deployed is automatically deployed with an upgrade relationship to the first. For example, if you deploy Office XP and then Office 2003, Office 2003 is deployed automatically as an upgrade to Office XP.
To upgrade a previously deployed application to a new version, you complete the following steps:
Create a new software package to deploy the new version of the application (as discussed in the "Deploying the Software Using a Windows Installer File" section in this chapter).
Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation or User ConfigurationSoftware SettingsSoftware Installation as appropriate for the type of package you want to work with.
Right-click the related package, and then select Properties. If the package is already configured to upgrade an existing package, the package will be listed under Packages That This Package Will Upgrade, as shown in Figure 9-9. Select the package, and click Remove to remove this relationship.
To establish an upgrade relationship between the application you are deploying and the previously deployed application, click Add on the Upgrades tab. This opens the Add Upgrade Package dialog box (Figure 9-10).
You can establish an upgrade relationship between applications that are deployed within the same GPO by selecting Current Group Policy Object. If you want to establish a relationship between a package in a different GPO, select A Specific GPO, click Browse, and then use the Browse For A Group Policy Object dialog box to select the GPO.
Under Package To Upgrade, select the package to upgrade. You can then choose an upgrade option:
Uninstall The Existing Package, Then Install The Upgrade Package. Recommended if you want to completely reinstall the application with the new version
Package Can Upgrade Over The Existing Package. Recommended if you want to perform an in-place upgrade over the existing installation.
Click OK to close the Add Upgrade Package dialog box.
If you want to make this a required upgrade, select Required Upgrade For Existing Packages. The application you’re deploying will automatically upgrade any existing packages the next time the computer restarts or when a user logs on. The user won’t have a choice in the matter. If you do not make this a required upgrade, the user can choose when to install the upgrade through Add Or Remove Programs or by activating the application.
After you create an upgrade relationship, the package doing the upgrading will have an icon depicting a green, up arrow to indicate that it is an upgrade.
When an application uses a Windows Installer package, you can customize the installation using transforms. Transforms are special instruction files that modify the instructions embedded in the default package during application installation. Transform files have an .mst extension.
You can manage the transforms associated with an application using the related software package’s Properties dialog box. Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation or User ConfigurationSoftware SettingsSoftware Installation as appropriate for the type of package you want to work with. Right-click the related package, select Properties, and then select the Modifications tab.
You can add multiple transform files to an application; they are processed in the order listed on the Modifications tab, from the top of the list to the bottom, which means that transforms lower in the list take precedence over higher ones. For more information about creating transforms for Office, see the "Deploying Microsoft Office and Service Packs" section in this chapter.
Caution
Once you add transforms to a published or assigned application and click OK to deploy the application, you can no longer add to or modify the list of transforms for that application. To change the applied transforms, you must remove the current application from the GPO, let all clients that have installed the application successfully uninstall it, and then re-create the package within the GPO, specifying the new transforms.
As discussed previously, you can manage which users and computers install deployed software in several ways: You can apply a security filter so the GPO applies only to specific security groups within a site, domain, or OU. You can create a WMI filter to filter the application deployment based on operating system or hardware configuration. You can also modify the security on the installer file itself, which is the technique discussed in this section.
Modifying the security on the installer file itself provides a more granular way to control which users or computers will process the Software Installation policy than if you use GPO-based security filtering. For example, even though a GPO might be linked to an OU and have security filtering that specifies that all users in that GPO will process it, you can use this Security tab to control which users within that OU will receive a particular deployed application package. Because you can have multiple applications deployed within a given GPO, you have a lot of flexibility in targeting application deployment.
To manage the security on an installer file, and thereby manage which computers and users can make use of it, you use the software package’s Properties dialog box. Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation or User ConfigurationSoftware SettingsSoftware Installation as appropriate for the type of package you want to work with. Right-click the related package, select Properties, and then select the Security tab, as shown in Figure 9-11.
The options on the Security tab allow you to define delegation for the selected installer file within a GPO. The default security provides:
Read access to Authenticated Users, which allows all users and computers to which the GPO applies to process the file as appropriate
Read, Write, Special Permissions to Creator Owner and Enterprise Admins, which allows the creator and Enterprise Admins to work with the installer file
Read and Special Permissions to Enterprise Domain Controllers, which allows Enterprise Domain Controllers to work with the installer file
Full Control to System and Domain Admins, which allows the operating system and Domain Admins to fully manage the installer file and the installation process
To allow a user or computer to install a deployed application package, you simply grant that user or computer (or user or computer group) Read permission on the application. A deployed application package grants the Authenticated Users group read access by default—which means that all users and computers have access to the application package by default. To target an application package to a specific group, you must first remove the Authenticated Users access from that application and then add Read access for the appropriate users, computers, or groups. However, because permissions are inherited from the application package object itself, you must remove inheritance before you can modify the permissions. Follow these steps to perform this operation:
Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation or User ConfigurationSoftware SettingsSoftware Installation as appropriate for the type of package you want to work with.
Right-click the related package, and select Properties. On the Security tab, click Advanced.
Clear the check box labeled "Inherit From Parent The Permission Entries That Apply To Child Objects."
A dialog box appears, asking you whether you want to copy or remove the inherited permissions or cancel the operation completely. Choose Copy. Click OK to return to the basic security dialog box.
Select the Authenticated Users group in the Group Or User Names list, and then click Remove.
Click Add, and then use the Select Users, Computers, Or Groups dialog box to select the user, computer, or group for which you want to add permissions. Click OK.
Select the newly added user, computer, or group in the Group Or Users Names list. Under Permissions For, select Read in the Allow column.
Repeat steps 6 and 7 to add permissions for other users, computers, or groups.
Click OK.
The newly added users, computers, or groups can now install the application. Other users, computers, or groups cannot install the application (unless they are a member of one of the default groups, such as Domain Admins).
If you always use certain installation options for Software Installation policy, you might want to configure global defaults. For example, if you want applications to be uninstalled by default when they fall out of focus, you can use global defaults to do this.
Note
For Software Installation Categories, the same global defaults are used for both per-computer and per-user options on a per-GPO basis. Otherwise, the global defaults are set separately for Software Installation policy under Computer Configuration and User Configuration.
You can view current global defaults and define others by completing the following steps:
Access Software Installation under Computer ConfigurationSoftware SettingsSoftware Installation.
Right-click the Software Installation node, and choose Properties. This opens the Software Installation Properties dialog box (Figure 9-12).
You can view and set global defaults for Software Installation policy for both users and computers.
Table 9-2 provides an overview of the global defaults you can configure and lists that tab that each option is located on.
Table 9-2. Global Software Installation Defaults
Tab | Option | Description |
|---|---|---|
General | Default Package Location | Sets a default path to packages within this GPO. When you select New, Package, this path appears in the Open File dialog box. |
New Packages | Determines whether the Deploy Software dialog box is displayed or a default pack deployment option is chosen automatically. By default, the Deploy Software dialog box lets you choose the deployment option. You can specify that the GPO should always choose one of these options right away. | |
Installation User Interface Options | Sets the default user interface option: Basic or Maximum. With the default setting, Maximum, users see all setup screens and messages. With the Basic option, users see only error and completion messages. | |
Advanced | Uninstall The Applications When They Fall Out Of The Scope Of Management | An application falls out of scope when the GPO that has deployed it is no longer processed by the user or computer. If an application falls out of scope and this option is selected, the application is uninstalled during the next foreground (user logon or computer restart) processing cycle. |
Include OLE Information When Deploying Applications | If you choose this option, COM advertisements that are part of the application package are stored within the Active Directory Class Store. See Chapter 13 for more information on the Class Store. | |
Make 32-Bit X86 Windows Installer Applications Available To IA64 Machines | Allows you to use .msi files to deploy 32-bit x86 applications on 64-bit Windows versions using Intel IA-64 chip architecture. | |
Make 32-Bit X86 Down-Level Applications Available To IA64 Machines | Allows you to use .zap files to deploy 32-bit x86 applications on 64-bit Windows versions using Intel IA-64 chip architecture. | |
File Extensions | Application Precedence | Within a GPO, if you have multiple applications that register the same file extension, you can use this option to control which application is installed when the user opens a document with the advertised extension. |
Categories | Categories For The Domain | Lets you specify global defaults for application categories. The categories appear in Add Or Remove Programs. |