**Applies to:**Medulla – Agent **Version:** All **Environment:** On-Premise / Private SaaS / Shared SaaS **Category:** Medulla Agent
### Deploying the Medulla Agent via GPO #### What is the best method for deploying the Medulla agent on all computers in an Active Directory domain? The recommended method is to use a**scheduled task via Group Policy Preferences (GPP)** with the**"Apply once and do not reapply"** option. This method is: \- Compatible with any EXE file (no MSI required) \- Executed only once per workstation \- Run with SYSTEM (administrator) privileges \- Officially supported by Microsoft \- Reliable and avoids repeated reinstallations #### How do you set up this method? ##### Step 1: Prepare the installation file 1\. Copy the installer to an accessible network share: *(Make sure the path is accessible to "Everyone" or "Domain Computers" with read permissions).* > \\\\SERVER\\DEPLOYMENT\\Medulla-Agent-windows-FULL-latest.exe Create a PowerShell script like this: > $SetupPath = "\\\\SERVER\\DEPLOYMENT\\Medulla-Agent-windows-FULL-latest.exe" > $Arguments = "/S" > > $ServiceName = "medullaagent" > > $ServiceStatus = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue > > if ($ServiceStatus) { > Write-Output "The $ServiceName service already exists. Installation canceled." > Exit 0 > } > > try { > Start-Process -FilePath $SetupPath -ArgumentList $Arguments -Wait -NoNewWindow -ErrorAction Stop > } > catch { > Write-Error "Installation error: $\_" > Exit 1 > } 2\. Configure permissions on the share: \- **Read**for the **Domain Computers** group ##### Step 2: Create the GPO 1\. Open the**Group Policy Management** console 2\. Create a new GPO, for example: `Medulla Agent Deployment` ##### Step 3: Configure the scheduled task 1\. Edit the GPO and navigate to: > Computer Configuration > → Preferences > → Control Panel > → Scheduled Tasks 2\. Right-click →**New** →**One-time task (Windows 7 or later)** 3\. In the **General** tab **:** \- Name: `Install Medulla Agent` \- Account: **SYSTEM** \- Run with highest privileges 4\. In the**Actions**tab: - **Action:** Run a program. - **Program/script:** `powerhselle_install_path/powershell.exe` - **Add arguments:** `-ExecutionPolicy Bypass -File "\\Server\Share\YourScript.ps1"` *(Make sure the path is accessible by "Everyone" or "Domain Computers" for reading).* ##### Step 4: Apply the GPO 1\. Link the GPO to**the Organizational Unit (OU)**containing your workstations 2\. On a test workstation, run: > gpupdate /force 3\. Restart the workstation or wait for the next policy updateNote: It is always mandatory for workstations to restart after installing the agent; the default GPO does not automatically restart the workstation. Therefore, keep in mind that each workstation must be restarted after installing the agent.
#### Why not use a startup or logon script? Traditional scripts (Startup Script or Logon Script) have several drawbacks: \- Risk of multiple executions \- Complexity in detecting whether the installation has already been performed \- Permission issues depending on the execution context \- Less reliable than GPP scheduled tasks The GPP scheduled task method resolves all these issues. #### What does the "Apply once and do not reapply" option do? This option ensures that: \- The task runs**only once**on each workstation \- Even if the GPO remains active for years, the installation does not run again \- No need for complex detection scripts \- No accidental reinstallation This is equivalent to a "fire and forget" deployment. With the **"Apply once and do not reapply"** option, it is essential to verify that the agent has installed correctly. If the installation failed during the process, it will not run again. You can choose not to enable this option ( **"Apply once and do not reapply"**) to prevent agent installation issues, but keep the IF section in the PowerShell script that checks whether the **medullaagent** service **is** present (by default, already included in the script above): > if ($ServiceStatus) { > Write-Output "The $ServiceName service already exists. Installation canceled." > Exit 0 > } #### How do you verify that the deployment worked? ##### On a client machine: 1\. Verify that the scheduled task has been created: > Control Panel → Administrative Tools → Task Scheduler Look for the task `Installation Agent Medulla` 2\. Check the Medulla Agent installation logs 3\. Verify that the workstation appears in the Medulla console ##### On the domain controller: Use GPO reports to see which computers have applied the policy. #### Can I use this method to update the agent? By default, the agent updates itself automatically, but if not, yes, with a few caveats: \- If you create a **new GPO** with a new task name, it will run once on all workstations (if "Apply once" is enabled) \- If you change the EXE file path in an existing task with "Apply once," it will **not** run **again (** that is the purpose of this option) For updates, it is best to: 1\. Create a new GPO with a new task name for each major version 2\. Or use Medulla’s built-in update system #### What are the prerequisites? \- An Active Directory domain controller (Windows Server 2008 R2 or later) \- A network share accessible for reading by the workstations \- The Medulla agent installer with silent installation option (`/S`) \- Permissions to create and link GPOs #### How long does it take for all workstations to be deployed? Deployment occurs as group policies are updated: \- By default: every**90 minutes**(with a random delay of 0 to 30 minutes) \- Upon workstation restart \- With `gpupdate /force` (immediate) For a quick deployment across a fleet of 100 workstations, expect it to take about**2 to 4 hours**, depending on network traffic. #### Run the installation after logging in A GPO is typically run before the user logs in with SYSTEM privileges. This can be inconvenient for the user, who may think their computer has frozen. ##### Solution 1: The "At logon" Scheduled Task The user arrives at their desktop, and the installation launches silently in the background with SYSTEM privileges. 1. In your **Computer** GPO (not User), go to: **Preferences** > **Control Panel Settings** > **Scheduled Tasks**. 2. New > **Scheduled Task (at least Windows 7)**. 3. **General tab:** - **User account:** `NT AUTHORITY\SYSTEM` (or just type `SYSTEM`). - Check **Run with maximum permissions**. 4. **Triggers tab:** - New > **At logon**. - You can select "Any user". 5. **Actions tab:** - Program: `powershell_install_path/powershell.exe/powershell.exe` - Arguments: `-ExecutionPolicy Bypass -File "\\Server\Share\SCRIPT_POWERSHELL.ps1"` SCRIPT\_POWERSHELL.PS1 corresponds to the script at the top of the page that allows you to install the agent silently. --- ##### Solution 2: The "Asynchronous" option If you want to keep your current script (in "Startup Scripts") but just stop the "Please wait..." screen from appearing: 1. Go to the GPO: **Computer Configuration** > **Administrative Templates** > **System** > **Scripts**. 2. Look for the setting: **Run startup scripts asynchronously**. 3. Set it to **Enabled**. Note: If you create a task with an "On login" trigger and check **"Apply once and do not reapply**, **"** the GPO will create the task once, but**the task itself will remain on the PC and continue to run at every login.** So be sure to keep the**IF** condition**in** the script that checks for the presence of the **medullaagent** service **(**already included by default in the script above): > if ($ServiceStatus) { > Write-Output "The $ServiceName service already exists. Installation canceled." > Exit 0 > } #### Additional Resources \- \[Official Microsoft documentation on Group Policy Preferences\](https://docs.microsoft.com/fr-fr/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11)) \- \[Medulla deployment documentation\](https://medulla-project.org/) \--- **Created**: December 2024 **Author**: Medulla Documentation **Version**: 1.0