Windows Active Directory – Will GPO Software Installation Reinstall Applications from Different Policy?

active-directorygroup-policywindows

I'm looking to install our latest AV suite through a GPO Software Installation policy. (As in the below screenclip.)

enter image description here

Unfortunately my request to use DFS has been denied and I'll need to create a GPO for each site in our environment (each site is its own subnet). The issue I have is that a lot of users travel between sites, so as they move to another site, they will get the new GPO and fall out of scope on the previous GPO.

I can't find any concrete documentation as to whether the GPO software install will re-install an application if it already exists on the current PC. I will be using the option to leave the app when the computer falls out of scope.

From my research I found that the GPO will only apply if the version of the GPO has changed, which is fine, but what about the actual MSI?

I've found two scenarios that people put forward but cant back up:

  1. The GPO calls the Windows Installer service that checks the installed programs list and will install only if the current MSI version is not there.

  2. The GPO install keeps its own APP cache with it's own list of software, and will install the app if it's not in that list, even if it is already installed.

Can anyone confirm the correct information for me?

EDIT: Thanks for the responses guys, I'm aware of other alternative ways to deploy software, however what I'm after is a concrete answer as to whether a GPO deployment will re-install a package if it already exists on the workstation.

Best Answer

When I've had to do this in the past, I've avoided the Software Install GPO because they're limited and cause as many problems as they solve.

EDIT: In response to your edit, YES, software installation GPOs can and will reinstall software that's already installed. (Which is one of the problems they cause - far from the only one, though.) In your scenario, if you elect to use the Software Installation GPO, this is something you'll have to put in some work to prevent, such as the suggestion in Greg's answer.

When I've had to use GPOs to install software, the way I've done it in the past is to use GPO that kicks off a scripted install which checks to make sure the thing isn't installed already. See example below, for installing PC*Miler26 shudder to a bunch of XP machines.

The screenshot show the startup script GPO pointing at a location on our corporate DFS, (which I've redacted) and the script itself is a bat file, due to the limitations in our environment - with XP machines, and WMI being frequently broken on our clients, that's the only thing that works reliably.

enter image description here

echo off
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\ALK Technologies\PC*Miler 26.0"
if %errorlevel%==1 (goto Install) else (goto End)

REM If errorlevel returns a value of 1, it means the key is not present, thus the program is not installed.  So install it.
:Install
\\[Our DFS software share]\PCMiler26\Network\setup.exe /s

REM If errorlevel returns a value other than 1, the key is present, and the program is already installed, or something odd's going on.  No installation.

:End
Related Topic