Cleanup Group Policy Software Installations

Group Policy can be a wonderful way to manage software. As long as you can come up with a .msi, all you have to do is assign the appropriate group to the software Policy, assign the workstation to the appropriate group, and Active Directory takes care of the rest. You can even specify in the policy that the software should automatically uninstall when it falls out of scope (when the Policy is deleted, disabled, or the workstation is removed from the group). This leaves the workstation ready for the next version to be installed, or ensures the software is removed for licensing reasons.

This also introduces a problem. Sometimes you will run into applications that, for whatever reason, do not come off cleanly. They may be removed from the machine, or mostly removed, but if the computer still thinks they are partly installed it will continue trying to remove them every time policy is applied at startup. Not only that, but no new software installations via group policy will take place until the situation is resolved. Obvously, if you are trying to upgrade one or more applications, this is an issue. All of the applications successfully remove themselves, save our problem app, and now NONE of the new versions can be installed.

One way to fix this is to install run the Microsoft Installer Cleanup Utility (retired by MS, but still available if you look). This utility will show applications that still have remnants hanging about in the system, even if they don’t show up in add/remove programs, and allow you to remove the remaining references. Thus, group policy processing is happy, and the rest of your installs proceed the next time you boot.

That way is obviously not ideal when you are managing ~2000 workstations. So, finally, I have managed to develop a better method. Run the following VBScript as a startup script on the affected workstations. It will do the following:

  1. Delete the reference to the app inthe Group Policy reg key, making GP happy and allowing other apps to install.
  2. Reinstall the app from the msi, for a pristine new install that can then be…
  3. Removed cleanly

Startup scripts run after software installation is processed, so it will take two reboots to complete the upgrade. Depending on how large the application is, give it sufficient time to install and uninstall before you reboot.

Here is the magic! Save it as whatever.vbs

'Created by Jay P Morgan
'Locate the application under \AppMgmt\ in the registry
'Modify strHive, strKeyPath, strMSI - then run.

Option Explicit

Const strHive = "HKLM\"
Const strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\{enter the key here}"
Const strMSI = """\\server\share\path\to\file.msi"""
Const strComputer = "."
Const WindowHidden = 0
Const WaitForRun = True
Const HKCR = &H80000000
Const HKCU = &H80000001
Const HKLM = &H80000002
Const HKU = &H80000003
Const HKCC = &H80000005
Const HKDD = &H80000006
Dim objRegistry, objShell
Dim arrValueNames(), arrValueTypes()
Dim strInstall, strUninstall

strInstall = "msiexec /i " & strMSI & " /qn"
strUninstall = "msiexec /x " & strMSI & " /qn"
Set objRegistry = GetObject("Winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
If objRegistry.EnumValues(HKLM, strKeyPath, arrValueNames, arrValueTypes) = 0 Then
' wscript.echo "GP registry key found; Deleting Key"
objRegistry.DeleteKey HKLM, strKeyPath
Set objShell = Wscript.CreateObject("Wscript.Shell")
' wscript.echo "Reinstalling program"
objShell.Run strInstall, WindowHidden, WaitForRun
' wscript.echo "Removing program"
objShell.Run strUninstall, WindowHidden
' wscript.echo "Complete"
' wscript.echo "GP registry key Not found"
End If


~ by Jay P Morgan on February 24, 2011.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s