Category Archives: software deployment

Group Policy Software Deployment OpenVPN

You will require:

OpenVPN Code signing certificate: http://anonit.blogspot.com.au/2016/03/extract-openvpn-driver-code-signing.html
OpenVPN MSI – instructions here:

Create the deployent share, and set permissions as appropriate: http://anonit.blogspot.com.au/2016/03/group-policy-software-deployment.html

Place the OpenVPN MSI into the deployment share.

Open GPMC.MSC


Expand the domain, and expand Group Policy Objects.  Right click and select New


Give the software deployment a name, and click OK


Right click the GPO and select Edit…


Expand Computer Configuration –> Policies –> Software Settings  Right click on
Software Installation and select New –> Package…


Navigate to the deployment share via UNC, select the MSI, and click Open.


Select Assigned and click OK.


The application is now assigned for install.


Navigate to Computer Configuration –> Windows Settings –> Security Settings –> 
Public Key Policies.  Right click Trusted Publisher and select Import…



Click Next



Click Browse


Navigate to the OpenVPN certificate and click Open


Click Next



Click Next


Click Finish


Click OK



The certificate is now ready to be pushed out via Group Policy.


Drag the Group Policy Object (EG: Install Open VPN Client) and release on the OU you wish to
deploy the software to.  (EG: Corp Computers).


The software will now be deployed to computer objects in that OU.

Group policy Software deployment permisisons

When deploying software deployment via group policy permissons must be set so that the computer account has read permission to the install files.

To check this, open Computer Management and open Shared Folders.

Right click the deployment share and select Properties



Domain computers at a minimum should have read.  In this example, I have Everyone as read.



Open Windows Explorer and navigate to the deployment folder.  Right click the deployment folder
and select Properties


On the Security tab, you can see i have added Domain Computers as Read & execute, list
folder contents, and Read.


This will allow the computer accounts to access the softwaredeployment share.