GPO

Applies to:Medulla – Agent
Version: All
Environment: On-Premise / Private SaaS / Shared SaaS
Category: Medulla Agent

Deploying the Medulla Agent via GPO

What is the best method for deploying the Medulla agent on all computers in an Active Directory domain?

The recommended method is to use ascheduled task via Group Policy Preferences (GPP) with the"Apply once and do not reapply" option.

This method is:
- Compatible with any EXE file (no MSI required)
- Executed only once per workstation
- Run with SYSTEM (administrator) privileges
- Officially supported by Microsoft
- Reliable and avoids repeated reinstallations

How do you set up this method?

Step 1: Prepare the installation file

1. Copy the installer to an accessible network share: (Make sure the path is accessible to "Everyone" or "Domain Computers" with read permissions).

\\SERVER\DEPLOYMENT\Medulla-Agent-windows-FULL-latest.exe

Create a PowerShell script like this:

$SetupPath = "\\SERVER\DEPLOYMENT\Medulla-Agent-windows-FULL-latest.exe"
$Arguments = "/S"

$ServiceName = "medullaagent"

$ServiceStatus = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue

if ($ServiceStatus) {
Write-Output "The $ServiceName service already exists. Installation canceled."
Exit 0
}

try {
Start-Process -FilePath $SetupPath -ArgumentList $Arguments -Wait -NoNewWindow -ErrorAction Stop
}
catch {
Write-Error "Installation error: $_"
Exit 1
}

2. Configure permissions on the share:
- Readfor the Domain Computers group

Step 2: Create the GPO

1. Open theGroup Policy Management console
2. Create a new GPO, for example: `Medulla Agent Deployment`

Step 3: Configure the scheduled task

1. Edit the GPO and navigate to:

Computer Configuration
→ Preferences
→ Control Panel
→ Scheduled Tasks

2. Right-click →New →One-time task (Windows 7 or later)

3. In the General tab :
- Name: `Install Medulla Agent`
- Account: SYSTEM
- Run with highest privileges

4. In theActionstab:

Action: Run a program.
Program/script: powerhselle_install_path/powershell.exe
Add arguments: -ExecutionPolicy Bypass -File "\\Server\Share\YourScript.ps1" (Make sure the path is accessible by "Everyone" or "Domain Computers" for reading).

Step 4: Apply the GPO

1. Link the GPO tothe Organizational Unit (OU)containing your workstations
2. On a test workstation, run:

gpupdate /force

3. Restart the workstation or wait for the next policy update

Note: It is always mandatory for workstations to restart after installing the agent; the default GPO does not automatically restart the workstation. Therefore, keep in mind that each workstation must be restarted after installing the agent.

Why not use a startup or logon script?

Traditional scripts (Startup Script or Logon Script) have several drawbacks:
- Risk of multiple executions
- Complexity in detecting whether the installation has already been performed
- Permission issues depending on the execution context
- Less reliable than GPP scheduled tasks

The GPP scheduled task method resolves all these issues.

What does the "Apply once and do not reapply" option do?

This option ensures that:
- The task runsonly onceon each workstation
- Even if the GPO remains active for years, the installation does not run again
- No need for complex detection scripts
- No accidental reinstallation

This is equivalent to a "fire and forget" deployment.

With the "Apply once and do not reapply" option, it is essential to verify that the agent has installed correctly. If the installation failed during the process, it will not run again.

You can choose not to enable this option ( "Apply once and do not reapply") to prevent agent installation issues, but keep the IF section in the PowerShell script that checks whether the medullaagent service is present (by default, already included in the script above):

if ($ServiceStatus) {
Write-Output "The $ServiceName service already exists. Installation canceled."
Exit 0
}

How do you verify that the deployment worked?

On a client machine:

1. Verify that the scheduled task has been created:

Control Panel → Administrative Tools → Task Scheduler

Look for the task `Installation Agent Medulla`

2. Check the Medulla Agent installation logs

3. Verify that the workstation appears in the Medulla console

On the domain controller:

Use GPO reports to see which computers have applied the policy.

Can I use this method to update the agent?

By default, the agent updates itself automatically, but if not, yes, with a few caveats:

- If you create a new GPO with a new task name, it will run once on all workstations (if "Apply once" is enabled)
- If you change the EXE file path in an existing task with "Apply once," it will not run again ( that is the purpose of this option)

For updates, it is best to:
1. Create a new GPO with a new task name for each major version
2. Or use Medulla’s built-in update system

What are the prerequisites?

- An Active Directory domain controller (Windows Server 2008 R2 or later)
- A network share accessible for reading by the workstations
- The Medulla agent installer with silent installation option (`/S`)
- Permissions to create and link GPOs

How long does it take for all workstations to be deployed?

Deployment occurs as group policies are updated:
- By default: every90 minutes(with a random delay of 0 to 30 minutes)
- Upon workstation restart
- With `gpupdate /force` (immediate)

For a quick deployment across a fleet of 100 workstations, expect it to take about2 to 4 hours, depending on network traffic.

Run the installation after logging in

A GPO is typically run before the user logs in with SYSTEM privileges.

This can be inconvenient for the user, who may think their computer has frozen.

Solution 1: The "At logon" Scheduled Task

The user arrives at their desktop, and the installation launches silently in the background with SYSTEM privileges.

In your Computer GPO (not User), go to: Preferences > Control Panel Settings > Scheduled Tasks.
New > Scheduled Task (at least Windows 7).
General tab:
- User account: NT AUTHORITY\SYSTEM (or just type SYSTEM).
- Check Run with maximum permissions.
Triggers tab:
- New > At logon.
- You can select "Any user".
Actions tab:
- Program: powershell_install_path/powershell.exe/powershell.exe
- Arguments: -ExecutionPolicy Bypass -File "\\Server\Share\SCRIPT_POWERSHELL.ps1"

SCRIPT_POWERSHELL.PS1 corresponds to the script at the top of the page that allows you to install the agent silently.

Solution 2: The "Asynchronous" option

If you want to keep your current script (in "Startup Scripts") but just stop the "Please wait..." screen from appearing:

Go to the GPO: Computer Configuration > Administrative Templates > System > Scripts.
Look for the setting: Run startup scripts asynchronously.
Set it to Enabled.

Note: If you create a task with an "On login" trigger and check "Apply once and do not reapply, " the GPO will create the task once, butthe task itself will remain on the PC and continue to run at every login. So be sure to keep theIF conditionin the script that checks for the presence of the medullaagent service (already included by default in the script above):

if ($ServiceStatus) {
Write-Output "The $ServiceName service already exists. Installation canceled."
Exit 0
}

Additional Resources

- [Official Microsoft documentation on Group Policy Preferences](https://docs.microsoft.com/fr-fr/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
- [Medulla deployment documentation](https://medulla-project.org/)

---

Created: December 2024
Author: Medulla Documentation
Version: 1.0

Network requirements for Medulla SaaS

Client Accounts (Status & Visibility)

Deployment (broadcasting)

Packages

Remote Maintenance & Getting Started

Deployment (broadcasting)

Remote Maintenance & Getting Started

FLUX Test

Firewall

IMAGING Prerequisites

Active Directory

I already have a PXE server on my network. Is that a problem?

Simplified flowchart of Medulla

OIDC

DNS and Medulla Relay views in the DMZ

Filter machine types by GLPI ID

Your GLPI with Read-Only User

Disable convergence for the Extract drivers package

Configuration Guide: OIDC Authentication and User Synchronization

Increase the connection timeout to the interface

Activation Support / WSUS / CVE

Change the server's FQDN

Change the SSH port between Server and Client

GLPI - Connect an external GLPI

Network requirements for Medulla Private SaaS

Client Accounts (Status & Visibility)

Deployment (broadcasting)

Packages

Console & Administration

Remote Maintenance & Getting Started

Client Accounts (Status & Visibility)

Packages

Console & Administration

Remote Maintenance & Getting Started

Set the agent to Debug

Windows Agent Issue

Introduction

ACLs

ACLs continued

Console & Administration

Deployment (broadcasting)

Packages

Updates (Windows Updates)

Imaging menus

Client Accounts (Status & Visibility)

GPO

Reconfigure my agent

Generate Windows and Linux agents

Agents for the MINT Linux distribution

Uninstalling the Medulla Agent (Versions prior to 5.5.2)

Uninstalling Medulla Agent Version 5.5.2 and later

Architecture and Deployment of Medulla Relay Servers

Procedure for adding relays to Medulla Dedicated SaaS

Medulla Update - 5.4.x to 5.5.x

GPO

Deploying the Medulla Agent via GPO

What is the best method for deploying the Medulla agent on all computers in an Active Directory domain?

How do you set up this method?

Step 1: Prepare the installation file

Step 2: Create the GPO

Step 3: Configure the scheduled task

Step 4: Apply the GPO

Why not use a startup or logon script?

What does the "Apply once and do not reapply" option do?

How do you verify that the deployment worked?

On a client machine:

On the domain controller:

Can I use this method to update the agent?

What are the prerequisites?

How long does it take for all workstations to be deployed?

Run the installation after logging in

Solution 1: The "At logon" Scheduled Task

Solution 2: The "Asynchronous" option

Additional Resources