In hopes of establishing manageability, greater security, and efficiency through centralization, I’ve been successfully adding more and more applications to those which are deployed via Group Policy. When I have to upgrade hundreds of computers from one version to a new version, it is not plausible to walk around and install the latest version manually. Instead, I’ve successfully deployed:
- Adobe Reader 9
- Adobe Acrobat 9
- Adobe Flash 10
- Java RE
- Spark
This works well enough for deploying software. For something licensed like Acrobat, I just deploy the software to select computers by adding specific computers to a security group in the Active Directory and restrict the number of deployed instances to the number of licenses we have available.
For this article, we’ll be using Adobe Reader 9 to discuss updating the deployed software. You can discern the original deployment of Adobe Reader 9.0 from this article on the Adobe Customization Wizard. Unfortunately, Adobe had to release 9.1, 9.1.1, and 9.1.2 versions to deal with the Javascript exploit that was possible in malicious PDFs and other bugs. Now we need to deploy those updates to the machines that we remotely loaded with Adobe Reader 9.0.
You can find the Adobe Reader 9.1 as a full installer (.msi) and 9.1.1 and 9.1.2 updates as incremental patches (.msp) at the Adobe Reader update site. You’ll need an agreement with Adobe on file to distribute their software. Yes, even the free ones and internally to your building. It only takes a few minutes to request an agreement and get an answer back shortly. You can also opt to get e-mails about updates and such.
Following the instructions from the Adobe Customization Wizard post, you can deploy 9.1 as a standard package through Group Policy using the .msi. If you visit the update page for Adobe 9.1.2, you’ll see that it can apply to 9.1 or 9.1.1. Since we have 9.1 deployed, this one be a problem and we’ll just need to apply the .msp patches for 9.1.2.
Step 1 Make a copy of your Adobe Reader 9.1 deployment folder locally. This is what holds the .msi and related files for distribution. It can be copied anywhere locally, we just want to work on it locally as it’s a little more reliable that working on the server. Plus, you need a second copy anyways.
Step 2 Download the .msp file for the version you want to go to. In this case, download the Adobe Reader 9.1.2 update. Put this .msp into your local copy of the Adobe Reader 9.1 deployment folder.
Step 3 We need to slipstream the patch into the 9.1 MSI. This way the original file is up to date.
Open a command prompt and CD your way to the local copy that you made. Then run the following command:
msiexec /a [reader.msi file name] /p [Reader .msp file name]
You should get something like this:
msiexec /a Reader91.msi /p AdbeRdrUpd912_all_incr.msp
This will run you through the normal installation process for the patch, but it will actually be taking effect on the .msi file, not your computer.
Step 4 Once the installer complete, you can copy this local copy of the deployment folder as a sub-folder into the server copy of the Adobe Reader 9.1 deployment folder.
Add the new package to the same GPO like normal. Leave the original package there and just add this package in addition to it. After you point to the new .msi, choose the Advanced Deployment method. This will bring up the properties menu for the package.
On the Properties page that opens up, switch to the Deployment tab and consider selecting the “Uninstall this application when it falls out of the scope of management” setting. Next, switch over to the Upgrades tab. Click the Add… button to open up another dialog box. Select the Current GPO, the package you want to upgrade, and choose that the package can upgrade over the existing package. You could actually choose either of the last options, but it’s a little faster and more efficient to upgrade instead of uninstall and re-install. For different instances and software, a different option may work better.
You can hit Ok to close all the dialog windows and you should finally see this summary:
Now, anybody that has this GPO applying to them should have Adobe Reader 9.1.2 installed for them the next time the group policy refreshes and they restart their computers.
You should be able to carry this example over for a multitude of other software titles that release their updates in .msp form.