In our network, we have 3 desktops and all are in the same OU, the default Computers OU. We will create a software deployment GPO that will push the Panda antivirus agent from a special share on our server. I prefer to create a share inside the Serverfolders. That Serverfolders folder is the default location of all the folders that are created by default with a Windows Server Essentials installation, any subsequent folder that you share and create from within the Dashboard will be created in the Serverfolders share. I will create a new shared folder called SoftwareDeployment. 1. A typical Windows Server Essentials 2016 Active Directory and its OU’s and GPO’s Let us have a look at what Organizational Units and Group Policies are available in a default WSE 2016 installation. In most cases the 2012 version of Windows Server Essentials does look the same but if your server is migrated from an older version like SBS 2011 or even older versions like 2008 or 2003 the structure will look different but the idea is the same. From the Server Manager (not the Dashboard) choose Tools –> Group Policy Management. The Group Policies and WMI filters that begin with WSE are the ones created when you installed the server initially. Group Policy is a hierarchical infrastructure that allows a network administrator in charge of Microsoft's Active Directory to implement specific configurations for users and computers. Group Policy can also be used to define user, security and networking policies at the machine level. More reading Group Policy for Beginners From Server Manager start Active Directory Users and Computers. In the Active Directory Container ‘Computers’ we will find our desktop clients we have joined to the domain with Connector software. An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization's functional or business structure. More reading Understanding Organizational Units And in the Active Directory Container ‘Users’ we will find all Users and all Security Groups. 2. Create a software distribution share where we will store the application Inside the ServerFolders folder on a typical Windows Server Essentials right click and choose New –> Folder Name the folder SoftwareDistribution. Right click the folder and choose properties Click Advanced Sharing Check ‘Share this folder’. Click Permissions and click add. Type ‘SYSTEM’ and click Check Names Choose SYSTEM as in the screenshot Click OK Give SYSTEM full control Also add Authenticated Users and Domain Computers. Give both of them Read permissions Copy your application to the folder you just created ‘SoftwareDistribution’. Browse to \\server-name\SoftwareDistribution and see if the file you just copied is there. Copy \\server-name\SoftwareDistribution on to the clipboard so you can use it later when we create the policy 3. Installing software on client computers who are in the Computer OU Open Group Policy Management from the Server Manager. Right click Group Policy Objects and choose New Give the new GPO a name Select the GPO you just created and choose edit Open Computer Configuration\Policies\Software Settings and right click and choose Properties. You can click browse but on a default WSE 2016 it does not return anything. That is why we copied the path earlier in this tutorials, past it in the ‘Default Package Location’ box, check Assign and choose Basic for Interface Options. Click OK Right click ‘Software installation’ and choose New –> Package Choose your application Once listed choose Properties In our case we had trouble because the application did not want to install nor did we see an error on our clients. See that this product shows that it is in Chinese? Strange but when you install it it shows in English. We will fix this in the next step. Choose the Deployment tab Make sure you check ‘Ignore language when deploying this package’. It will install with the correct language which is the same as the OS is. This seems to me a bug in the Panda msi or the package needs to be changed but that is out of the scope of this tutorial. Now that we have changed language setting click OK Close Group Policy Management Editor We are back in Group Policy Management and our new GPO is listed but it does not do anything yet. I suggest you change to the default WSE Group Policy WMI filter to make sure this policy gets applied to client OS only Remove Authenticated Users OK Click OK again Click Add Type Domain and then Check Names Choose Domain Computers Click OK Do the same for Domain Users. Now we an link the GPO to our domain at the highest level. This way it will get applied to all our computers with client Operating Systems installed. Choose the WSE Group Policy Software Deployment Small optimization is needed. As this policy only has Computer settings we should disable User Settings. That will make processing GPO’s on the clients more efficient and faster. Click OK Go to a client in your network and run an elevated command prompt and type gpupdate /force. Because we have added a Software Deployment policy it needs to reboot and as shown in the screenshot it will do that. Now if you do not see anything about rebooting and you only see something about logging off and on on again something is wrong with your policy. Windows will reboot. Check System in the Event Viewer, it will show you that it has started installing the application. In our case the policy just dumps a runtime in the Program Files folder and starts installation from there. It will download the actual installation from the Internet and then starts to install it. This can take some time, be patient. You can check Program Files for Panda Security Another Event is logged in the Application log telling us that installation is started. And finally the software has been installed. 4. Apply software distribution only to some computers within a separate Organizational Unit In some circumstances you may need to apply the software distribution only to some computers and not all of them. In this example our company has multiple offices around the country, one in Seattle, one in Dallas and one in Chicago. For those offices we have created Organizational Units and in those OU’s we created Sales, Marketing and Desktops. We want to apply our Software Deployment to the Desktops OU in Seattle. Before that will work we need to move the Computers from the Computers Container in Active Directory Users and Computers to the Desktops OU in Seattle. After we have done this we can link the Software Deployment GPO to the Seattle Desktops OU. Here we go. Right click your domain and choose New Organizational Unit We have an Office in Seattle so we named our OU Seattle and we created some OU’s in there like Desktops, Marketing and Sales. Open Active Directory Users and Computers from the Server Manager. Desktop-03 is located in Seattle so we move it to that OU You can drag and drop the Computer account to the Seattle\Desktops OU It is now listed in the other OU We are back in Group Policy Management and right click the Desktop OU and choose to link an existing GPO Choose the Software Deployment GPO In the overview you see the GPO is now linked to the Seattle Desktops OU only. Boot Desktop-03 and see if the software installs. It should only be installed on Desktop-03, the other 2 in this example will not get the software pushed.