Share via

Mailbag: How can I deploy the .NET Framework 2.0 using Group Policy?

  • Article

Question

You previously posted a set of instructions that can be used to run the .NET Framework 2.0 setup by calling the MSI directly. The instructions in that post describe a command line parameter named ADDEPLOY that needs to be passed to msiexec.exe to allow the MSI to install correctly.

I want to deploy the .NET Framework 2.0 in my network using Group Policy. I cannot specify a command line parameter like ADDEPLOY in the Group Policy deployment package creation UI. How can I deploy the .NET Framework 2.0 MSI on my network using Group Policy?

Answer

The following example steps can be used to create a Group Policy object to deploy the .NET Framework 2.0 in a network:

  1. Click on the Start menu, choose Run and type cmd
  2. Create an administrative install point for the .NET Framework 2.0 by running dotnetfx.exe /c:"install.exe /a" and stepping through the wizard UI
  3. Add the netfx.msi that is created in the administrative install point created above to the Group Policy object. The path to netfx.msi must be located on a share that is accessible from all computers where it will be deployed to, not on a local path (example - \\server\share\netfx20\netfx.msi not C:\netfx20\netfx.msi)

It is important to note that the .NET Framework 2.0 only supports deployment by machine assignment, not by user publishing. This is because the user may not be an administrator on the machine in the advertised scenario, and because the .NET Framework is a per-machine and not a per-user application.

Behind the scenes, the .NET Framework 2.0 MSI has a custom action named CA_BlockDirectInstall_GUIH_SKU_URT that is used to prevent users from installing by double-clicking on the MSI directly. This custom action has the following complex condition statement in the InstallExecuteSequence table:

( NOT (ADDEPLOY = 1 OR USING_EXUIH = 1 OR USING_EXUIH_SILENT = 1 OR ADVERTISED = 1 OR ProductState >= 1) ) AND ( NOT (ADDEPLOY = 1 OR USING_EXUIH = 1 OR USING_EXUIH_SILENT = 1 OR ADVERTISED = 1 OR ProductState >= 1) )

The ADVERTISED property will be automatically set if you create a Group Policy object to deploy the .NET Framework 2.0 MSI to a network by machine assignment.

Comments

  • Anonymous
    February 10, 2006
    The comment has been removed

  • Anonymous
    February 11, 2006
    Недавно я рассказывал о нанесении тяжких душевных повреждений разработчику, то е

  • Anonymous
    February 28, 2006
    The comment has been removed

  • Anonymous
    February 28, 2006
    Hi Vaughn - Can you paste in the exact text of the error message in the application event log on this system?  Also, can you verify that the account that is attempting to run the setup on the target machine when it is assigned via machine assignment has permission to access the UNC path where the MSI exists?

    Note - if you run the MSI directly and do not pass in one of the properties listed in the condition above, it is expected that you will get an error dialog stating that you should run install.exe to install the product.

  • Anonymous
    March 02, 2006
    Question
    You previously posted instructions for how to create an administrative install point (AIP)...

  • Anonymous
    March 03, 2006
    Thank you for your post. It helps me to plan how to deploy .Net framework in my network.

    I have one question about setting security.
    Can I preset the security level of clients environment?

    Thank you,

  • Anonymous
    March 03, 2006
    Hi Eric - I am not an expert at tweaking .NET security settings, but I believe you could accomplish this by creating some customized .config files and installing them onto your systems after you install the .NET Framework 2.0.  Microsoft internal IT does something similar for computers that are connected to our corporate network

  • Anonymous
    April 11, 2006
    The comment has been removed

  • Anonymous
    March 08, 2007
    I previously posted a set of instructions for creating an administrative install point for the .NET Framework

  • Anonymous
    July 18, 2007
    The comment has been removed

  • Anonymous
    November 27, 2007
    Are there instructions to install .Net Framework 3.5 through Active Directory.  Attempting the above doesn't seem to work. Thanks

  • Anonymous
    November 27, 2007
    Hi Scotthellewell - The instructions for deploying the .NET Framework 2.0 SP1, 3.0 SP1 and 3.5 are different than the ones listed here.  The documentation for how to do this is currently still being reviewed, but it should be posted and available on MSDN soon.  I will create a new blog entry with a link to the updated documentation once it is available.  I'm sorry for the hassles in the meantime.

  • Anonymous
    December 07, 2007
    We're looking at developing a generic external ui handler for our suite of products. Group Policy deployability is big concern for our company. Can you please explain how the ADVERTISED property is being set when a GPO is created to deploy the .NET Framework 2.0 MSI? Is this standard Group Policy behavior for any MSI, or functionality your team had to implement? Thanks

  • Anonymous
    December 07, 2007
    Hi Pmcclosk - We did not have to do anything specific in .NET Framework setup to allow Group Policy deployment.  Following the steps listed in this blog post should work fine without taking any additional action in your Group Policy objects.  One thing to note there - Group Policy requires creating an object for each MSI.  That means that even if you have an external UI handler, if a user wants to deploy your product via Group Policy, they will have to create a separate GPO to deploy the .NET Framework 2.0 MSI prior to deploying your product MSI. It looks like my explanation in this blog post is not correct though - I had thought that the ADVERTISED property was something standard in Windows Installer, but I can't find it in the documentation anywhere.  I'm not sure exactly what gets set during a GPO deployment, but we have verified that this CA_BlockDirectInstall_GUIH_SKU_URT custom action does not run during GPO machine assignment scenarios, and therefore does not block you from running the MSI directly in that type of scenario.

  • Anonymous
    December 10, 2007
    Thanks Aaron. I've found that by querying the ProductState of the running installation when it is assigned by machine through group policy will return INSTALLSTATE_ADVERTISED.

  • Anonymous
    December 16, 2007
    A while back, I posted some instructions that can be used to create an administrative install point for

  • Anonymous
    December 16, 2007
    A while back, I posted some instructions that can be used to create an administrative install point for

  • Anonymous
    December 16, 2007
    PingBack from http://msdnrss.thecoderblogs.com/2007/12/17/creating-an-administrative-install-point-for-the-net-framework-20-sp1/

  • Anonymous
    December 16, 2007
    PingBack from http://msdnrss.thecoderblogs.com/2007/12/17/creating-an-administrative-install-point-for-the-net-framework-20-sp1-2/