Fast AD GPO Software Deployment Method logo

I want to share one of the fastest methods for deploying software or running a script via an Active Directory Group Policy. This method reduces the time to roll out a change to 10 hours or less. I use this method to roll out critical software like SentinelOne, CrowdStrike, Sysmon, and more.

So, if you want to complete your software deployment faster through an Active Directory Group Policy, this is the method for you.

The Slower AD GPO Software Deployment Method

To understand why this AD GPO software deployment method is so much faster, you must understand the commonly recommended but slower method. The common method is to configure “Computer Configuration -> Policies -> Software Settings -> Software Installations” and add an MSI installation package or configure a startup script.

This slower method requires more steps after the GPO has been applied. First, you must wait at least 10 hours; however, waiting 24 hours has fewer issues. Once all the systems have the new GPO settings, they will not install the software until their next reboot, so this method requires a lot more effort to complete the software installations.

Script or Software Deployment via AD GPO Immediate Scheduled Task

When a system receives a Group Policy update, any immediately scheduled tasks will run at that time. By default, every domain-joined system asks Active Directory for the latest Group Policy settings every 10 hours. The longest we should have to wait for our installation or script to run is 10 hours. In some AD environments, we can even force a GPO update on all the systems via the AD Group Policy management console.

For Initial Deployment Only…

The Immediate Scheduled Task deployment method quickly installs software or runs a PowerShell script on all systems in your environment. However, I recommend you only use it in the short term. Once the initial deployment is complete, you should disable the Immediate Scheduled Task GPO and use the Software Installations or Startup Script GPO methods to maintain deployment on systems added in the future.

Creating an Immediate Scheduled Task In Group Policy

I will use an immediately scheduled task to deploy a Sysmon installation script for the following example.

Before you start the GPO setup, you need to have already set up a software distribution point—an SMB share where the script or MSI package is stored, with read and execute permissions given to the “Authorized Users” and “Domain Computers” groups. You will need this network location in the GPO setup.

Immediate Scheduled Task GPO

  1. Create a new Group Policy object and begin editing it.
  2. Navigate to “Computer Configurations -> Preferences -> Control Panel Settings -> Scheduled Tasks“.
  1. Right-click in the Scheduled Task area and click on “New“, then “Immediate Task(At least Windows 7)
  1. In the new popup windows, configure a name for the Immediate Task.
  2. Configure the task to run as the SYSTEM user.
  3. Set the task to Run whether the user is logged on or not, with the highest privileges.
  4. Configure for Windows 7, Windows Server 2008R2.
  1. Now click on the “Actions” tab.
  2. Click on “New…
  3. In the new action windows, set the values below based on the type of action you want to perform.
# Run a PowerShell Script
Action: Start a program
Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add Arguments: -ExecutionPolicy Bypass -command "& \\<SDP-Server>\<share>\<Script.ps1>"
Add Arguments Example: -ExecutionPolicy Bypass -command "& \\north.sevenkingdoms.local\NETLOGON\SysmonDeploy.ps1"

# Run a MSI Installer
Action: Start a program
Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add Arguments: Start-Process "C:\Windows\System32\msiexec.exe" -ArgumentList '/i "\\<SDP-Server>\<share>\<package.msi>" /qn' -Wait -NoNewWindow
Add Arguments Example: Start-Process "C:\Windows\System32\msiexec.exe" -ArgumentList '/i "\\north.sevenkingdoms.local\sdp$\SentinelInstaller.msi" SITE_TOKEN=ABCDEFGHI= /qn' -Wait -NoNewWindow
  1. Click “OK” to close the new action window.
  2. Click on the “Common” tab.
  3. Check the “Apply once and do not reapply” checkbox.
  4. Click “OK” to finalize and close the new immediately scheduled task.

Apply GPO and Test

Link the newly created GPO to the AD OU you want to deploy the software or a script.

Below, I am linking the GPO to the “Servers” OU. In the “Servers” OU, one server is named “CASTELBLACK“.

With the new GPO linked, I can log in to the “CASTELBLACK” server to test the deployment.

Open Task Scheduler and an administrative PowerShell window. If you run the command “gpupdate /force” and quickly refresh the Task Scheduler list (because it will delete itself soon), you can catch the immediate scheduled task our GPO creates. You can review the history tab for issues if you catch the immediate scheduled task.

In the test, we forced a group policy update. However, this is not required. Every AD system runs a group policy update every 10 hours by default.

Do you know of a faster GPO deployment method? Let me know in the comments below!