Category Archives: Group Policy

Group Policy Software Deployment OpenVPN

You will require:

OpenVPN Code signing certificate:
OpenVPN MSI – instructions here:

Create the deployent share, and set permissions as appropriate:

Place the OpenVPN MSI into the deployment share.


Expand the domain, and expand Group Policy Objects.  Right click and select New

Give the software deployment a name, and click OK

Right click the GPO and select Edit…

Expand Computer Configuration –> Policies –> Software Settings  Right click on
Software Installation and select New –> Package…

Navigate to the deployment share via UNC, select the MSI, and click Open.

Select Assigned and click OK.

The application is now assigned for install.

Navigate to Computer Configuration –> Windows Settings –> Security Settings –> 
Public Key Policies.  Right click Trusted Publisher and select Import…

Click Next

Click Browse

Navigate to the OpenVPN certificate and click Open

Click Next

Click Next

Click Finish

Click OK

The certificate is now ready to be pushed out via Group Policy.

Drag the Group Policy Object (EG: Install Open VPN Client) and release on the OU you wish to
deploy the software to.  (EG: Corp Computers).

The software will now be deployed to computer objects in that OU.

Group policy Software deployment permisisons

When deploying software deployment via group policy permissons must be set so that the computer account has read permission to the install files.

To check this, open Computer Management and open Shared Folders.

Right click the deployment share and select Properties

Domain computers at a minimum should have read.  In this example, I have Everyone as read.

Open Windows Explorer and navigate to the deployment folder.  Right click the deployment folder
and select Properties

On the Security tab, you can see i have added Domain Computers as Read & execute, list
folder contents, and Read.

This will allow the computer accounts to access the softwaredeployment share.

Adobe DC Customisation Wizard

A new version of Adobe Reader is out, with a new name.  No longer called Adobe Reader, it is called Acrobat Reader.  And the version is ‘DC’.

So head on over to Adobe’s website, download and install the Customisation wizard:

Grab Acrobat Reader (without the mcafee / google bundle):

Use your favourite program to extract the files from within the .exe file (WinRAR, 7zip, etc).

Once you have the .MSI file extracted, you can then open the customisation wizard, and open the .MSI using the customisation wizard.

Make any relevant changes you wish to the .MSI file.  EG: ‘Supress display of End User License Agreement (EULA)’, ‘Disable product updates’, ‘Disable Upsell’, etc.

You may also want to use the Registry section of the Customisation Wizard to makes changes, or use Group Policy, or alternate methods of setting the relevant keys:

Don’t show messages while viewing a document
HKLMSOFTWAREPoliciesAdobeAcrobat ReaderDCFeatureLockdowncIPM

Show me messages when I launch Adobe Acrobat Reader DC
HKLMSOFTWAREPoliciesAdobeAcrobat ReaderDCFeatureLockdowncIPM

Show welcome dialog when opening file
HKLMSOFTWAREPoliciesAdobeAcrobat ReaderDCFeatureLockdowncWelcomeScreen

HKLMSoftwarePoliciesAdobeAcrobat ReaderDCFeatureLockDown

The ‘bDontShowMsgWhenViewingDoc’ as a value of ‘0’ to NOT display the message.  A value of 1 will display the message.  This is the reverse of what is expected given the name is DontShow.

Save the package in the customisation wizard, and install using the following command:
msiexec.exe /i AcroRead.msi TRANSFORMS=acroread.mst

The details for this post were found: (Some information in this is now incorrect, see the forum post below!)

Create a Group Policy WMI filter to determine 64 bit or 32 bit Operating System

I needed to create a WMI filter for Group Policy that would separate 64 bit and 32 bit Operating Systems.


Open Group Policy Management.  Expand the Forest and Domain, down to WMI Filters.

Right click WMI Filters and select New…

Type a Name (for 64 bit operating systems) for the Filter and a Description.  Click Add

Leave the Namespace as rootCIMv2

Type the Query

SELECT AddressWidth FROM Win32_Processor WHERE AddressWidth =’64’  and click OK

Click Save


Repeat the process, for 32 bit Operating Systems.  The Query is:

SELECT AddressWidth FROM Win32_Processor WHERE AddressWidth =’32’.

This can then be applied to a Policy

Some handy WMI filters for further separation:

Windows 7 32 bit:

select * from Win32_OperatingSystem WHERE Version like “6.1%” AND
ProductType=”1″ AND NOT OSArchitecture = “64-bit”

Windows 7 64 bit:

select * from Win32_OperatingSystem WHERE Version like “6.1%” AND
ProductType=”1″ AND OSArchitecture = “64-bit”

Windows 8 32 bit:

select * from Win32_OperatingSystem WHERE Version like “6.2%” AND
ProductType=”1″ AND NOT OSArchitecture = “64-bit”

Windows 8 64 bit:

select * from Win32_OperatingSystem WHERE Version like “6.2%” AND
ProductType=”1″ AND OSArchitecture = “64-bit”