Software Updates
   why

GPO

howto get
   Flash.msi
   Java.msi
   QuickTime.msi
   AdobeReader.msi
   Firefox.msi
   LibreOffice.msi

file types
   MSI
   MST
   MSP
   AIP

tools
   Orca
   msi.chm
   WinInstall LE
   Advanced Installer
   WiX
   7zip

 

Impressum

Automatic Software Deployment with Group Policy Objects

Why?

Automatic deployment of software updates ist today more important than virus scanners are, because antivirus vendors have lost the race and trojans often use known software bugs to get in. If you don't believe this, read more here.

How?

Windows includes a largely unknown function to automatically install and update software. Most people know only Windows Update or Microsoft Update, which can update only Windows, Internet Explorer, and Microsoft Office. There is another function, which can install and update arbitrary software. Microsoft implemented this feature first in Windows 2000, it's also in XP, Vista and 7.

However there are limitations:

  • The function accepts commands only from Group Policy Objects (GPO) in Active Directory, thus
    • you need a server that runs at least Windows Server 2003 or Samba 4.
    • all clients must be members of the Active Directory Domain.
    • only the professional or corporate editions of windows can be domain members, so it will not work with home editions.
  • Configuring the function on the server is a pain, because the server group of Microsoft doesn't yet know drag & drop, some defaults must be manually adjusted for each and every package, and many things are counterintuitive.
  • Moving from locally installed software to software deployed from the server requires to first uninstall the locally installed software, then reinstall it from the server. If you try to do it without first uninstalling, you are likely to end up with a mess, that can be difficult to clean up.
  • Only MSI-files can be automatically deployed, not software that comes as an installer of type setup.exe.

The last limitation is mitigated by the fact that today most installers somehow base on MSI-files. Thus even if the software distributor doesn't offer an MSI variant, it's usually possible to extract the MSI-files from the installer with certain tricks. But still this limitation is the most serious one: If you start to deploy software via GPO, the most time consuming part is not to learn how to configure the server, but to find out two things: how to get the required MSI-files, and what you need to configure inside them to make the whole concept really work well and reliably.

Why not use other automatic updaters?

Some of the affected software comes with their own automatic updaters. But they all work only if either the users work with admin rights, or if the software was installed without admin rights inside a user directory. Both cases mean that executable files are writable by users. This means that they are also writable by any software that the users execute, which means that viruses can spread. So this is not a solution.

(Side note: Antivirus software can update itself without requiring users to work with admin rights. But something seems to prevent this idea from spreading to other software companies, outside the antivirus world.)

I have also tried several others tools that promise to automate software updates. All failed more or less. So far the test that I have seen is GPO software deployment from a windows server.

MSI-HOWTOs

Obtaining the MSI files is different for each and every software product. Each software needs some other tricks, even new versions of the same software may need different tricks. The difficulty level goes from trivial, with great support from the software vendor, to almost impossible, with their community coordinator telling you that they don't care if you stop using their software.

Configuration is needed for most MSI-files to make them really work reliably. It is for example required because you don't want the installation to fail with an error message, if the installer detects that a new version is already available. Also if you decided to deploy updates, you don't want your users to be annoyed by automatic updaters that come together with the installed software. You cannot possibly offer all updates on the same day they are available, so these functions must be disabled.

I have collected here descriptions for obtaining and patching MSI-files for several programs. The list contains those for which I think it's most important, because their bugs are most commonly used to plant malware. Look in the vertical menu in the upper left of this page.

(last update: 18-Jan-2012)
Copyright 2011-2012 by Klaus Hartnegg