none
Group Policy - Issues deploying software packages through GPO

    Question

  • Hello everyone,

    I am having issues successfully deploying MSI packages through group policy.  I have set my computer account up in its own test OU in my domain, but yet the software will not deploy.  Example, I'm trying to deploy AVG Anti-Virus and make sure it is installed on each and every PC in my domain.  As for the GPO, I set it up as an assigned package and pointed to the location of the package with the UNC file path (visible to both the DC and my computer that is part of the affected OU)

    On the domain controller, I get these messages in application event logs:

    Beginning a Windows Installer transaction: \\hs-dc2\software\avg\installavg.msi. Client Process Id: 9048.

    Ending a Windows Installer transaction: \\hs-dc2\software\avg\installavg.msi. Client Process Id: 9048.

    This shows up when I refresh GP on my computer.  I run gpresult /h GPReport.html and get the following message:

    Software Installation failed due to the error listed below.
    Fatal error during installation.
    Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between

    The software is in a share on the domain controller that is visible from my computer, and permissions are set where "Everyone" has read access.  I have tested the package on my computer and it installs correctly if I do it manually, so it's a good package. 

    I'm at a loss.  I am admitedly very new to GP management, but I'm pretty sure I have covered all my bases here.  I humbly ask for any and all help that you all can provide.

    Thank you all very much, have a great weekend!

    Friday, January 13, 2012 9:51 PM

Answers

  • Usually, the antivirus package installation fails due to the existance of another antivirus on the target computer. I have seen many times incongruence between two antivirus on the same computer (one wanted to uninstall the other before starting its installation).
    " Never panic before reboot ! "
    Saturday, January 14, 2012 12:41 AM
  • Hi,

    I would like to confirm that whether the issue still there. Have you tried the suggestion Vodar provided?

    It seems like the policy was fine. I would like to know that whether all computers have the issue. Please apply the policy to a new installed OS.

    In addition, please also refer to the below link about software deployment:

    How to use Group Policy to remotely install software in Windows Server 2003 and in Windows Server 2008

    http://support.microsoft.com/kb/816102

    Best Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Monday, January 16, 2012 4:28 AM
    Moderator
  •  

    "The software is in a share on the domain controller that is visible from my computer, and permissions are set where "Everyone" has read access."

    I think you need "Read and Execute" permission.

     

    Do you have another antivirus and is it from the same vendor.

    And if you do, how did you deploy antivirus firt time around was it through GPO or some other method.

     

    If you are lucky enoguh you may be able to deploy it as an upgrade where you can use GPO to uninstall the current and deploy the new version.

     

    Another suggestion is to use DFS when you use GPO for software deployments. It makes it so much easier when you have to replace the server and plus then you have the ability to have "local" installs where the clients download from the server that's in their local network rather then remote server.

     

     


    Monday, January 16, 2012 6:30 AM

All replies

  • Usually, the antivirus package installation fails due to the existance of another antivirus on the target computer. I have seen many times incongruence between two antivirus on the same computer (one wanted to uninstall the other before starting its installation).
    " Never panic before reboot ! "
    Saturday, January 14, 2012 12:41 AM
  • Hi,

    I would like to confirm that whether the issue still there. Have you tried the suggestion Vodar provided?

    It seems like the policy was fine. I would like to know that whether all computers have the issue. Please apply the policy to a new installed OS.

    In addition, please also refer to the below link about software deployment:

    How to use Group Policy to remotely install software in Windows Server 2003 and in Windows Server 2008

    http://support.microsoft.com/kb/816102

    Best Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Monday, January 16, 2012 4:28 AM
    Moderator
  •  

    "The software is in a share on the domain controller that is visible from my computer, and permissions are set where "Everyone" has read access."

    I think you need "Read and Execute" permission.

     

    Do you have another antivirus and is it from the same vendor.

    And if you do, how did you deploy antivirus firt time around was it through GPO or some other method.

     

    If you are lucky enoguh you may be able to deploy it as an upgrade where you can use GPO to uninstall the current and deploy the new version.

     

    Another suggestion is to use DFS when you use GPO for software deployments. It makes it so much easier when you have to replace the server and plus then you have the ability to have "local" installs where the clients download from the server that's in their local network rather then remote server.

     

     


    Monday, January 16, 2012 6:30 AM
  • Everyone,

     

    I believe i'm getting closer and closer to being able to deploy as I require.  I have check everything above, and now i'm getting to where it's trying to deploy, but it keeps giving me the following errors:

    The removal of the assignment of application exe2msiSetupPackage from policy Install AVG failed. The error was : %%1603

    The assignment of application exe2msiSetupPackage from policy Install AVG failed. The error was : %%1603

     

    So, i'm constantly throwing error 1603.

     

    Any thoughts?  Any help on this is greatly appreciated, we really need to be able to deploy software through GP

     

    Thank you!!!

    Monday, January 23, 2012 10:13 PM
  •  

    http://support.microsoft.com/kb/834484

     

    You may receive this error message if any one of the following conditions is true:

    • The folder that you are trying to install the Windows Installer package to is encrypted.
    • The drive that contains the folder that you are trying to install the Windows Installer package to is accessed as a substitute drive.
    • The SYSTEM account does not have Full Control permissions on the folder that you are trying to install the Windows Installer package to. You notice the error message because the Windows Installer service uses the SYSTEM account to install software.
    Monday, January 23, 2012 10:42 PM
  •  

    http://support.microsoft.com/kb/834484

     

    You may receive this error message if any one of the following conditions is true:

    • The folder that you are trying to install the Windows Installer package to is encrypted.
    • The drive that contains the folder that you are trying to install the Windows Installer package to is accessed as a substitute drive.
    • The SYSTEM account does not have Full Control permissions on the folder that you are trying to install the Windows Installer package to. You notice the error message because the Windows Installer service uses the SYSTEM account to install software.

    ok i found this, but please explain...

     

    the folder is not encrypted (to my knowledge, it's a standard newly created share with correct permissions)

    i'm not familiar with the term "substitute drive".  My setup, on my DC...i have the setup package in a shared folder.  Thoughts?

    I have given full permissions to the SYSTEM Account.  I also found somewhere where it stated that i need to turn the windows installer service start-up to automatic...still doesn't work.

    I'm at your mercy :)

    Tuesday, January 24, 2012 1:53 AM
  • On the share level give "Domain Computers" or "Authenticated Users" full access. (\\hs-dc2\software\avg\)

    On the NTFS Security tab give "Domain Computers" or "Authenticated Users" read and execute

    Do not start windows installer as automatic other wise you will not be able to access it. (run it with default manual)

    Register msi on the affected computer and restart (msiexec /regserver)

     

    Also please enable this setting

    Local Machine -> Admin Templates -> System -> Logon -> Always wait for the network at computer startup and logon

    • Edited by Brano Lukic Tuesday, January 24, 2012 3:03 PM
    Tuesday, January 24, 2012 2:56 PM
  • On the share level give "Domain Computers" or "Authenticated Users" full access. (\\hs-dc2\software\avg\)

    On the NTFS Security tab give "Domain Computers" or "Authenticated Users" read and execute

    Do not start windows installer as automatic other wise you will not be able to access it. (run it with default manual)

    Register msi on the affected computer and restart (msiexec /regserver)

     

    Also please enable this setting

    Local Machine -> Admin Templates -> System -> Logon -> Always wait for the network at computer startup and logon


    no luck, i get the same thing.  It's still throwing the same 1603 errors listed above...

     

    ... past the point of knocking my head against the wall. 

     

    I'm open for any suggestions, thank you!!

    Tuesday, January 24, 2012 9:50 PM
  •  

    check this links out and see if they give you any new ideas

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/9ccc563b-b995-47f7-b4ec-2342c2b414cf/

    http://www.appdeploy.com/messageboards/tm.asp?m=74208&mpage=1&key=&#74208

    it starting to look like that there is some registry keys that need to be removed

    Tuesday, January 24, 2012 10:00 PM
  • ok everyone, i'm throwing my hands up.  I just put a newly formatted computer on the network, added it to my test OU that has this "Install AVG" GPO, and it throws the same 1603 errors. 

     

    Brano i'm going to read through your posts now, just wanted to post this for the morning crowd and see what your thoughts are concerning this.

     

    Thank you all.  i know we'll get this going, just aggrevating

    Wednesday, January 25, 2012 2:03 PM
  • > The software is in a share on the domain controller that is visible from
    > my computer, and permissions are set where "Everyone" has read access. I
    > have tested the package on my computer and it installs correctly if I do
    > it manually, so it's a good package.
     
    "Good package" may be wrong. Did you try to install it silent? (/qb
    command line switch) And did you try to install it "very silent" in
    computer context? (/q commandline switch, executed via "psexec -s") That
    variant is closest to what GPO deployment does
     
    (To be honest, you have to add ADDEPLOY=1 to do what GPO deployment
    implements - MSI packages sometimes are authored to recognize ADDEPLOY=1
    and then refuse installation...).
     
    Windows installer logs to %windir%\temp\, take a look there for files
    named MSI*.log (* is a random 5 digit number).
     
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, January 25, 2012 2:21 PM
  • > The software is in a share on the domain controller that is visible from
    > my computer, and permissions are set where "Everyone" has read access. I
    > have tested the package on my computer and it installs correctly if I do
    > it manually, so it's a good package.
     
    "Good package" may be wrong. Did you try to install it silent? (/qb
    command line switch) And did you try to install it "very silent" in
    computer context? (/q commandline switch, executed via "psexec -s") That
    variant is closest to what GPO deployment does
     
    (To be honest, you have to add ADDEPLOY=1 to do what GPO deployment
    implements - MSI packages sometimes are authored to recognize ADDEPLOY=1
    and then refuse installation...).
     
    Windows installer logs to %windir%\temp\, take a look there for files
    named MSI*.log (* is a random 5 digit number).
     
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!


    I just tried installing it as :

    \\hs-dc2\software\avg\installavg.msi /qb and it fired right up.  Magnolia_Schools.exe is running and will complete, whereas when GP runs this it never tries executing magnolia_schools.exe

    Just confirmed, running it /qb installed successfull. 

     

    To try it the other way, would it be

    \\hs-dc2\software\avg\installavg.msi /qb addeploy=1

    ?

     

    Sorry i'm such a newb, your help is really appreciated

    Wednesday, January 25, 2012 3:48 PM
  • > Magnolia_Schools.exe
     
    What's that???
     
    > \\hs-dc2\software\avg\installavg.msi
    > <file://\\hs-dc2\software\avg\installavg.msi> /qb addeploy=1
     
    /qb ADDEPLOY=1
     
    Uppercase matters (:
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, January 26, 2012 8:13 AM
  • >     Windows installer logs to %windir%\temp\, take a look there for files
    >     named MSI*.log (* is a random 5 digit number).
     
    Did you take a look there for any MSI logs? If there are logs related to
    AVG, feel free to post their content.
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, January 26, 2012 8:13 AM
  • > Magnolia_Schools.exe
     
    What's that???
     
    > \\hs-dc2\software\avg\installavg.msi
    > <file://\\hs-dc2\software\avg\installavg.msi> /qb addeploy=1
     
    /qb ADDEPLOY=1
     
    Uppercase matters (:
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    I should have explained, my apologies.  The InstallAVG.msi is the package I have GP deploying.  it is a package that AVG wrote for us that goes in, uninstalls the two previous antivirus softwares we have on our network if it is present, and then wraps it to run magnolia_schools.exe which installs the AV software.  I am uninstalling AVG now and will try reinstalling with \\hs-dc2\software\avg\installavg.msi /qb ADDEPLOY=1 and report back.

    also, the only logs I found that were around the time of the install attempt were such as these:

    1: 2905 2: C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
    1: 2905 2: C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas

    Does that tell you anything?

    I will say this, if this means anything...now that AVG is installed, the event logs are changing from an error %%1603 to this:

    Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : %%1274

    The removal of the assignment of application exe2msiSetupPackage from policy Install AVG failed. The error was : %%2

    So it acts like it's at least seeing that the package is installed...and reacting differently, correct?

    Thanks so much

    Thursday, January 26, 2012 2:10 PM
  • > C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
    > C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
     
    These are the application advertisement scripts that AppMgmt creates
    when adding MSI packages.
     
    > Failed to apply changes to software installation settings. The
    > installation of software deployed through Group Policy for this user has
    > been delayed until the next logon because the changes must be applied
    > before the user logon. The error was : %%1274
     
    This happened at boot/logon? Did you activate "Always wait for the
    network at startup and logon"? If not: Please do. (I think you already did).
     
    And if there are no msi*.log files in %windir%\temp: Enable Installer
    logging through GPO:
     
    Computer configuration - policies - administrative templates - windows
    components - windows installer: Enable "Logging" and set it to
    "voicewarmup".
     
    > The removal of the assignment of application exe2msiSetupPackage from
    > policy Install AVG failed. The error was : %%2
     
    2 means "File not found".
     
    > So it acts like it's at least seeing that the package is installed...and
    > reacting differently, correct?
     
    Somehow - yes. But as the msi is only a wrapper for an exe file (invoked
    through a custom action), we soon may get stuck. Analyzing exe
    installers is far beyond my capabilities (-:
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, January 26, 2012 2:38 PM
  • so i just completed installing AVG successfully using \\hs-dc2\software\avg\installavg.msi /qb ADDEPLOY=1

    as soon as I ran it, it popped up the msi installer real quickly and dissappeared.  I checked taskmanager and Magnolia_Schools.exe was running as it should have been.  Everything went through just fine.

    To answer your question, I do have ""Always wait for the network at startup and logon" enabled. 

    Anyone have a test MSI package that we know is good that I can try? 

     

    I will admit, I came into this position about 3 months ago and our active directory / group policy structure is a mess.  I am more than likely about to post our DCDIAGS to get some input on our setup in another thread, but for these errors...it seems like it's getting to where it needs to go, just erroring out along the way. 

     

    This tell you anything?

    Thank you

    Thursday, January 26, 2012 7:35 PM
  • So you have established that the manual install works from the same package.

    Now can you try to advertise that package to a clean machine (VM or something).

    If it fails there then the problem is with the package and the wrappers that they use inside to call another package.

    Ask them to give you a clean package that doesn't make any calls to other packages and try to deploy it that way.

    You are almost beter off to create the a script that :

    removes current antivirus package

    then adds a computer to a group that forces new package to be installed via gpo (your target group)

    then forces the reboot

    It would be nice if you would have SCCM or some other high end tool then you wouldn't have to deal with this deployment issues.

    Thursday, January 26, 2012 8:54 PM
  • So you have established that the manual install works from the same package.

    Now can you try to advertise that package to a clean machine (VM or something).

    If it fails there then the problem is with the package and the wrappers that they use inside to call another package.

    Ask them to give you a clean package that doesn't make any calls to other packages and try to deploy it that way.

    You are almost beter off to create the a script that :

    removes current antivirus package

    then adds a computer to a group that forces new package to be installed via gpo (your target group)

    then forces the reboot

    It would be nice if you would have SCCM or some other high end tool then you wouldn't have to deal with this deployment issues.

    I have tried this on a clean-imaged Windows 7 computer, and it does the same thing with the same error messages (1603).

    As for getting these msi packages, I would like to deploy instances such as Silverlight, flash, java, antivirus, adobe acrobat reader.  Now, I can't find the MSI package for silverlight, but I unpacked the EXE and it had install.exe, install.res.dll, silverlight.7z, silverlight.msi files within it.  I point a GPO to this package, and it fails.

    I'm sure my base knowledge of GPO software deployment is lacking, but something somewhere is screaming that my entire AD/GPO setup is all messed up...i could be wrong though.

    SCCM: working on that, but administration is hesitant to fund the $53/FTE bill...we're getting there though.  I come from a full SMS/SCCM shop and LOVED it.  those were the days...

    i'm open to any suggestions, or a helping hand in putting all of our domain to sleep and starting over ;)

    Thursday, January 26, 2012 10:02 PM
  • Find any msi that you have that you know it works.

    If you don't have one you can try downloading adobe http://get.adobe.com/reader/enterprise/

    Once you have the msi try to deploy it via gpo from the same server and see if what kind of results you get.

    If it works, the problem is the package that you have for AVG.

    If it doesn't then problem is the GPO, security settings, filtering, msiservice, etc...

     

     

    Thursday, January 26, 2012 10:55 PM
  • > as soon as I ran it, it popped up the msi installer real quickly and
    > dissappeared. I checked taskmanager and Magnolia_Schools.exe was running
    > as it should have been. Everything went through just fine.
     
    If I understand this right, then magnolia_schools.exe is an asynchronous
    child process - this (in my experience) will NOT work through GPO
    installation.
     > Anyone have a test MSI package that we know is good that I can try?
     
     
    I definitely know that this MSI can be deployed through GPO.
     
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, January 27, 2012 12:09 PM
  • > as soon as I ran it, it popped up the msi installer real quickly and
    > dissappeared. I checked taskmanager and Magnolia_Schools.exe was running
    > as it should have been. Everything went through just fine.
     
    If I understand this right, then magnolia_schools.exe is an asynchronous
    child process - this (in my experience) will NOT work through GPO
    installation.
     > Anyone have a test MSI package that we know is good that I can try?
     
     
    I definitely know that this MSI can be deployed through GPO.
     
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    OK guys,

    I downloaded the Group Policy Log View Tool, and reader X (had to extract from the EXE file downloaded from the link supplied above...THANKS) and both WORKED perfectly. 

    So looks like it's the package.  AHHHHHH

    So, other than contacting AVG support to repair our package... do you suppose there are any other options?  We can run this package manually and it works perfectly, through GP not so much

    I really appreciate you all
    Thanks!

    Friday, January 27, 2012 9:11 PM
  • > So, other than contacting AVG support to repair our package... do you
    > suppose there are any other options? We can run this package manually
    > and it works perfectly, through GP not so much
     
    An Installation snapshot might be possible, but I do not recommend this.
    You should ask AVG to fix this.
     
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Monday, January 30, 2012 12:13 PM