Unable to deploy a software update through GPO

I've to update LibreOffice for >50 users and I'm struggling with GPO (first time I'm using GPOs).

Here's the steps I've followed so far:

  • Create a distribution point: .msi package is available for all computers on a shared disk (\\<server>\LibreOffice\LibreOffice_7.0.4_x64.msi with Write & Execution rights for everyone)
  • Create a Group Policy Object: In Group Policy Management, I've selected our Domain, right clicked Group Policy Objects and selected New. I've named the GPO and leave Source Starter GPO as (none)
  • Assign an .msi package:
    • I've edited the package using ORCA and set the locale to 1036 (fr)*
    • On the previously created policy, on the Settings Tab, I've expanded the User Configuration > Policies > Software Settings.
    • Right clicked Software Installation and selected New > Package, and selected the previously shared package (\\<server>\LibreOffice\LibreOffice_7.0.4_x64.msi). I've choose Assigned
    • After few seconds, the package appears in the right pane. I double-cliked on it, selected the Deployment tab, and checked Install this application at logon and at the user interface section selected Basic
    • back on the Group Policy Management window, I clicked our domain name, selected Link an existing GPO and selected the previously created policy
  • Assign accounts to the GPO: I've removed Authenticated Users and add my personal account (for test purposes)

At this point I was expecting the GPO to be effective. I logged-out and in, checked my LibreOffice version, and nothing had change. Running gpupdate /force was also ineffective. The most intriguing part is that, from the Group Policy Management tab, on the newly created GPO, Settings tab of the right pane, I've the following error message (free translation):

An error happened during the report generation.

An undefined error happened during the creation of the HTML report.

Which, I believe, is due to the malformed .msi package.

To confirm this, I've repeated the process described above with another package (Google Chrome ones). There's no error in the HTML report, though the GPO is still ineffective.


Question Does anyone identify what I am missing here ? I've double checked several guides/tutorials I've found online but couldn't identify what I'm doing wrong.


Apologies for this long unprecised post written with my poor english. Please, for other users, feel free to edit my syntax, grammar, or whatever would make this post clearer. Thanks.


Solution 1:

Authenticated Users need to be able to read the Group Policy Object in order for it to be applied. Add Authenticated Users on the Delegation tab of the GPO with Read permission only (not Apply).

Make sure your user account is in the scope of management of the GPO.

User based software installation most often requires two logons to be applied.

Computer based software installation often requires two system reboots to be applied.

Software installation runs during foreground GP processing (at start up and at logon). It does not occur during background policy processing, so running gpupdate/force will have no effect.

EDIT

To clarify, you don't want Authenticated Users in the Security Filtering section of the GPO. You want them on the Delegation tab of the GPO with Read permission to the policy because the computer needs to read the policy in order to apply it. See this article for an explanation:

https://support.microsoft.com/en-us/topic/ms16-072-security-update-for-group-policy-june-14-2016-7570425d-d460-3003-b2ac-a464c874725d

Scope Tab:

enter image description here

Delegation Tab:

enter image description here

Authenticated Users Permissions:

enter image description here