Avatar of philjans
philjansFlag for Canada

asked on 

SOFTWARE installation using GPO doesn't work...

Trying to install by GPO CarbonBlack but it doesn't work,
I am following their procedure:
To deploy sensors using Group Policy:
1. Click Start > Administrative Tools > Group Policy Management.
2. Go to Forest: YOURDOMAIN > Domains > YOURDOMAIN > Group Policy Objects.
3. Right-click the Group Policy Objects folder and click New.
4. Type a name for the new Group Policy Object (GPO).
5. In the Group Policy Objects folder, click the new GPO.
6. In the bottom right pane, remove the Authenticated Users entry from the Security
Filtering box.
7. To deploy the sensors on specific computers only, add all of the specific computer
names that you want the sensor to be deployed on. To deploy sensors on all
computers in the domain, add the group "Domain Computers". Right-click the
YOURDOMAIN folder in the Navigation pane. Click Link an existing GPO. Click the new
GPO and click OK.
8. Right-click the GPO in the Group Policy Objects folder and click Edit.
9. In the new window, go to Computer Configuration > Policies > Software Settings >
Software installations. Right-click inside the empty pane on the right and go to New
> Software Package. In the new window that appears, go to the share that you
10. Under Deployment method, click Advanced.
11. Add an easily identifiable package name (for example, DefenseSensor32).
12. For a 32-bit .msi file only, in the Deployment tab, click Advanced and deselect Make
this 32-bit x86 application available to Win64 machines. Click OK.
13. Click the Modifications tab and click Add.
14. Select the .mst file that you created in the previous procedure.
15. Save your changes.
Chapter 3: Deploy and Manage Sensors
Cb Defense User Guide v2.2.2 34
16. Deploy sensors: if you use a script to force a reboot to update the policy objects, run
the script.
17. To verify that sensors are deploying correctly, check the console periodically to verify
that sensor information is populating and that the sensors are checking in regularly.

I see in gpresult /R that the strategie is there
The files are located on a share on my file server and the permissions are everyone read on the share and everyone read in the Security

But in even viewer system I get:

event id 108 %%1612
event id 303 successfull
event id 102 failed %%1612
event id 301 successfull

I also tried putting it in the gpo under Users instead of Computers same thing.

I don't know why the procedure ask to remove in step 6 the permissions also... And why under Computer instead of Users?
Active DirectoryInstallationWindows 10AzureWindows Server 2016

Avatar of undefined
Last Comment
David Johnson, CD
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

OK, first, following your steps, you created the GPO in the Group Policy Objects container. That does not link it to anything. You have to link that GPO to an OU that contains the Computers (or users) you want to deploy the software to.

to answer your questions at the end, removing Authenticated users and adding the computer names is called Security filtering. By default, a GPO will apply to anything in the Site, Domain or OU it is linked to, depending on where you linked it. By removing Authenticated users and adding the names, it limits it to those specific computers. Personally, I seldom use Security Filtering and when I do, it is by group, not computer name. Make an AD Security group, add the computers to it and use that to filter the GPO. The second part, computer vs user, is how you want the software to install, For all users on a machine or for a specific user.
Avatar of philjans
Flag of Canada image


@Jeff: yes they are linked... Carbon Black procedure up there dont mentionned it but I did it of course. And i confirmed it like mentionned using gpresult on the target and the gpo did apply to it and there is also all the event viewers error on the target about that gpo.

I did try to make an AD security group with all computers in it: same problem.
I still don't understand why CarbonBlack would want to remove the permissions and leave it blank.  But I tried with the new computergroup and still not working.

Thanks for the clarification about "computer" versus "user"... make sence to deploy it under "computer".
Avatar of Jeff Glover
Jeff Glover
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Authenticated Users is mandatory item for group policy (for the last couple of years)
Active Directory
Active Directory

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo