joukiejouk
asked on
Deployment of an MSI package via GPO failed
I created a GPO to deploy a Mimecast plug-in for Outlook (see screenshot). This GPO should install the plug-in when the remote user logs into their system. When the user logs into the system, the Win 7 screen was showing "Welcome" for about 15 minutes. When it finally loaded to the desktop, the user opens his Outlook client, but the Mimecast plug-in in Outlook is nowhere to be found. Looking at the screenshot, is it because under SETTINGS in the GPO, "Install this application at logon" is disabled? If so, how can i enable that option? I was not able to set it to enabled for some reason. I've also ensure that the GPO is enabled and linked to an OU.
This GPO is a USER CONFIGURATION setup (see screenshot), and is Software Installation is set to point to our PUBLIC share. All domain users have permission to that share. Should the GPO be a user configuration or computer configuration?
When I do a gpresult /r on the user's machine, I do see that the user is picking up the GPO. However, the plugin does not install on upon log in.
This GPO is a USER CONFIGURATION setup (see screenshot), and is Software Installation is set to point to our PUBLIC share. All domain users have permission to that share. Should the GPO be a user configuration or computer configuration?
When I do a gpresult /r on the user's machine, I do see that the user is picking up the GPO. However, the plugin does not install on upon log in.
LockDown32
User GPO is fine. Have you tried running the MSI manually to mak sure the MSI works?
ASKER
Yes, it works manually and vis PSEXEC.
Check your event logs. The long logon time tell me it probably tried to install, failed, and rolled back. An event with the specifics of the failure will exist if that is the case.
ASKER
I looked at Event Viewer > Custom Views > Administrative Events, but it does not show any failed event related to the deployment.
Looking at the very first screenshot, is it because under SETTINGS in the GPO, "Install this application at logon" option is disabled? If this is the case, why am I not able to set it to enabled? The GPO is linked and enforced to an OU.
Looking at the very first screenshot, is it because under SETTINGS in the GPO, "Install this application at logon" option is disabled? If this is the case, why am I not able to set it to enabled? The GPO is linked and enforced to an OU.
No, that's not the reason. All that does is prevent background installs. Some MSIs allow it, some don't. The options available will change depending on the MSI.
Windows installer events are logged in the application event log. Your filter probably hid it.
Windows installer events are logged in the application event log. Your filter probably hid it.
are you logged in using your [ADM] admin privil. account ?
ASKER
I was looking at event viewer on the user's machine. Should i be looking at event viewer from Active Directory, or does it not matter?
The user have local admin rights. He is logged into his machine. I am viewing event viewer on his machine while he is logged on. I checked application log but see no details about the GPO deployment.
The user have local admin rights. He is logged into his machine. I am viewing event viewer on his machine while he is logged on. I checked application log but see no details about the GPO deployment.
I think it does not matter. if GPO clicked on User's machine, either user has ADM account or not, GPO clicks on a destination machine and its not dependent on user's normal account or ADM account.
ASKER
What can be causing deployment of the MSI to fail? I'm not even sure if it failed, as there were no indication on that.
ASKER
I have attached my GPO deployment process for this MSI (Word doc attached). Can someone please review the process and see if anything looks incorrect?
Also, I think i really need to set the option INSTALL THIIS APPLICATION AT LOGON to ENABLED to make this work. There has to be a way to change that.
Should this GPO apply as soon as the user log on or before the user logs on?
Mimecast-plugin-for-Outlook-2013-x6.docx
Also, I think i really need to set the option INSTALL THIIS APPLICATION AT LOGON to ENABLED to make this work. There has to be a way to change that.
Should this GPO apply as soon as the user log on or before the user logs on?
Mimecast-plugin-for-Outlook-2013-x6.docx
ASKER
So I was able to set the GPO option INSTALL THIIS APPLICATION AT LOGON to ENABLED now.
The GPO is linked only to one test user abc. The user is put in the TESTING OU, where the GPO is linked to.
I had user abc do a gpupdate on his machine, but it failed with the message:
What does this mean, and why isnt the user picking up the GPO?
The GPO is linked only to one test user abc. The user is put in the TESTING OU, where the GPO is linked to.
I had user abc do a gpupdate on his machine, but it failed with the message:
What does this mean, and why isnt the user picking up the GPO?
Did you, by chance, install the June security updates already? If so, sis you read the associated KB articles and make the appropriate changes?
ASKER
Can you shed some light on the KB? Do you have a link to provide detailing issues with June updates?
If you haven't deployed June's security updates then it is a non-issue. Thus why I asked before sending you down a rabbit hole.
In addition, I didn't initially bring it up because your *initial* question had a screenshot of the GPO in question and under "security" in the screenshot, it clearly shows authenticated users having read access, which is what is required.
But your latest screenshot shows a security scope that is much more restrictive and that can indeed matter.
If you really want the gritty details, here is the write-up on the KBs (plural) in question, what changed, what *you* need to change if you are changing security scopes, and how it all works. But in essence, if you changed your security scope since you posted the initial question then the behavior would've changed as well, and thus the initial advice of looking in the event logs would no longer be valid.
In general, just for future reference, it is always advisable to make only small changes, let people know what changes you made if you are asking for help, and don't make 'random' changes just hoping the problem fixes itself. It could cause a lot of wasted time on everyone's part. :)
https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/
In addition, I didn't initially bring it up because your *initial* question had a screenshot of the GPO in question and under "security" in the screenshot, it clearly shows authenticated users having read access, which is what is required.
But your latest screenshot shows a security scope that is much more restrictive and that can indeed matter.
If you really want the gritty details, here is the write-up on the KBs (plural) in question, what changed, what *you* need to change if you are changing security scopes, and how it all works. But in essence, if you changed your security scope since you posted the initial question then the behavior would've changed as well, and thus the initial advice of looking in the event logs would no longer be valid.
In general, just for future reference, it is always advisable to make only small changes, let people know what changes you made if you are asking for help, and don't make 'random' changes just hoping the problem fixes itself. It could cause a lot of wasted time on everyone's part. :)
https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/
ASKER
It seems like the GPO failed to deploy the plug-in via MSI after the user logs in. Here is what I see from Event viewer on the user's machine:
Any suggestions?
Any suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We never got GPO to deploy the plug-in successfully. We went with Plan B, which was to deploy via PSEXEC. I appreciate all the response from all the Experts. Thank you.