Updated MSI deployment via GPO

bmaster
bmaster Posts: 11 Observer
in WithSecure Elements Endpoint Detection and Response

We use a GPO to deploy WithSecure Elements Agent to all client pc's. Works fine.

Now I downloaded a new version of the MSI from the portal, and added it to a new GPO while disabling the old GPO. What happens now is that the installer wants to uninstall the previous version (which is actually the same version as in the new msi). This uninstallation leaves some traces behind, causing the new install to fail, leaving the client unprotected. This can be fixed by running the FsUninstallationTool, but I cannot do this to 300 clients of course.

What is the best practice to handle new MSI files in combination with GPO's? I know of the following options:
- you can create new gpo and remove the old one
- you can add the new msi to the existing gpo as an update of the previous msi
- you can add the new msi to the existing gpo but not as an update of the previous msi
I tried a lot of these combinations, but the result is mostly the same.

Genius Agree Like Awesome

Answers

  • Sethu Laks
    Sethu Laks Posts: 125 Moderator
    edited June 8

    Hi @bmaster

    Thank you for reaching our WithSecure Community,

    In your scenario, we would recommend this following best practices:

    • Remove an old GPO.
    • Select this following option to keep the Agent installed.
    MicrosoftTeams-image.png
    • Activate new GPO.

    We are happy to assist you if you still have any questions.

    Thanks

    Sethu

    Genius Agree Like Awesome
  • bmaster
    bmaster Posts: 11 Observer

    I'll keep an eye on it, but during my tests, this method caused the new msi to uninstall the software first, even though it was the same version. I'll do some more experiments, and get back to you when I run into problems. Thanks.

    Genius Agree 1Like Awesome

Categories