GPO

Applies to:Medulla – Agent
Version: All
Environment: On-Premise / Private SaaS / Shared SaaS
Category: Medulla Agent

Deployment of the Medulla Agent via GPO

What is the best method for the deployment of the Medulla agent on all workstations in an Active Directory domain?

The recommended method is to use ascheduled task via Group Policy Preferences (GPP) with the"Apply once and do not reapply" option.

This method is:
- Compatible with any EXE file (no MSI required)
- Runs only once per workstation
- Run with SYSTEM (administrator) privileges
- Officially supported by Microsoft
- Reliable and prevents repeated reinstallations

How do you set up this method?

Step 1: Prepare the installation file

1. Copy the installer to an accessible network share: (Make sure the path is accessible to "Everyone" or "Domain Computers" with read permissions).

\\SERVER\DEPLOYMENT\Medulla-Agent-windows-FULL-latest.exe

Create a PowerShell script like this:

$SetupPath = "\\SERVER\DEPLOYMENT\Medulla-Agent-windows-FULL-latest.exe"
$Arguments = "/S"

$ServiceName = "medullaagent"

$ServiceStatus = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue

if ($ServiceStatus) {
Write-Output "The $ServiceName service already exists. Installation canceled."
Exit 0
}

try {
Start-Process -FilePath $SetupPath -ArgumentList $Arguments -Wait -NoNewWindow -ErrorAction Stop
}
catch {
Write-Error "Installation error: $_"
Exit 1
}

2. Configure permissions on the share:
- Readaccess for the Domain Computers group

Step 2: Create the GPO

1. Open theGroup Policy Management console
2. Create a new GPO, for example: `Medulla Agent Deployment`

Step 3: Configure the scheduled task

1. Edit the GPO and navigate to:

Computer Configuration
→ Preferences
→ Control Panel
→ Scheduled Tasks

2. Right-click →New →One-time task (Windows 7 or later)

3. On the General tab :
- Name: `Medulla Agent Installation`
- Account: SYSTEM
- Run with highest privileges

4. On theActionstab:

Action: Start a program.
Program/script: ` install_path_powershell`/powershell.exe
Add arguments: -ExecutionPolicy Bypass -File "\\Server\Share\YourScript.ps1" (Make sure the path is accessible to "Everyone" or "Domain Computers" with read permissions).

Step 4: Apply the GPO

1. Link the GPO tothe Organizational Unit (OU)containing your workstations
2. On a test workstation, run:

gpupdate /force

3. Restart the workstation or wait for the next policy update

Note: It is always mandatory for workstations to restart after the agent is installed; by default, the GPO does not restart the workstation automatically. Therefore, keep in mind that each workstation must be restarted after the agent is installed.

Why not use a startup or logon script?

Traditional scripts (Startup Scripts or Logon Scripts) have several drawbacks:
- Risk of multiple executions
- Difficulty in detecting whether the installation has already been completed
- Permission issues depending on the execution context
- Less reliable than GPP scheduled tasks

The GPP scheduled task method resolves all these issues.

What does the "Apply once and do not reapply" option do?

This option ensures that:
- The task runsonly onceon each workstation
- Even if the GPO remains active for years, the installation will not run again
- No need for complex detection scripts
- There is no accidental reinstallation

This is equivalent to a "fire-and-forget" deployment.

With the “Apply once and do not reapply” option, it is essential to verify that the agent has installed correctly. If the installation failed during the process, it will not run again.

You can choose not to enable the “Apply once and do not reapply” option (to prevent agent installation issues), but keep the IF statement in the PowerShell script that checks whether the medullaagent service is present (by default, this is already included in the script above):

if ($ServiceStatus) {
Write-Output "The $ServiceName service already exists. Installation canceled."
Exit 0
}

How do you verify that the deployment was successful?

On a workstation:

1. Verify that the scheduled task has been created:

Control Panel → Administrative Tools → Task Scheduler

Look for the task `Install Medulla Agent`

2. Check the Medulla Agent installation logs

3. Verify that the workstation appears in the Medulla console

On the domain controller:

Use GPO reports to see which workstations have applied the policy.

Can I use this method to update the agent?

By default, the agent updates itself automatically, but if not, yes—with a few caveats:

- If you create a new GPO with a new task name, it will run once on all workstations (if "Apply once" is enabled)
- If you change the EXE file path in an existing task set to "Apply once," it will not run again ( that is the purpose of this option)

For updates, it’s best to:
1. Create a new GPO with a new task name for each major version
2. Or use Medulla’s built-in update system

What are the prerequisites?

- An Active Directory domain controller (Windows Server 2008 R2 or later)
- A network share accessible in read-only mode by the workstations
- The Medulla agent installer with the silent installation option (`/S`)
- Permissions to create and link GPOs

How long does it take for all workstations to be deployed?

Deployment occurs as Group Policy updates are applied:
- By default: every90 minutes(with a random delay of 0 to 30 minutes)
- When the workstation restarts
- Using `gpupdate /force` (immediate)

For rapid deployment across a fleet of 100 workstations, expect it to take about2 to 4 hours, depending on network traffic.

Run the installation after logging in

A GPO typically runs before the user logs in with SYSTEM privileges.

This can be disruptive for the user, who may think their computer has frozen.

Solution 1: The "At logon" Scheduled Task

The user arrives at their desktop, and the installation runs silently in the background with SYSTEM privileges.

In your Computers GPO (not User), go to: Preferences > Control Panel Settings > Scheduled Tasks.
New > Scheduled Task (Windows 7 and later).
General tab:
- User Account: NT AUTHORITY\SYSTEM (or just type SYSTEM).
- Check " Run with maximum permissions."
Triggers tab:
- New > At logon.
- You can select "Any user."
Actions tab:
- Program: powershell_install_path/powershell.exe/powershell.exe
- Arguments: -ExecutionPolicy Bypass -File "\\Server\Share\SCRIPT_POWERSHELL.ps1"

SCRIPT_POWERSHELL.PS1 corresponds to the script at the top of the page that allows you to install the agent silently.

Solution 2: The "Asynchronous" option

If you want to keep your current script (in "Startup Scripts") but just stop the "Please wait..." screen from appearing:

Go to the GPO: Computer Configuration > Administrative Templates > System > Scripts.
Look for the setting: Run startup scripts asynchronously.
Set it to Enabled.

Note: If you create a task with an "On login" trigger and check "Apply once and do not reapply, " the GPO will create the task once, butthe task itself will remain on the PC and continue to run at every login. So be sure to keep theIF conditionin the script that checks for the presence of the medullaagent service (included by default in the script above):

if ($ServiceStatus) {
Write-Output "The $ServiceName service already exists. Installation canceled."
Exit 0
}

Additional Resources

- [Official Microsoft documentation on Group Policy Preferences](https://docs.microsoft.com/fr-fr/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
- [Medulla Deployment Documentation](https://medulla-project.org/)

---

Date created: December 2024
Author: Medulla Documentation
Version: 1.0

Network Prerequisites for Medulla SaaS

FLUX Test

Firewall

Active Directory

I already have a PXE server on my network—is that a problem?

Simplified Medulla Flowchart

OIDC

DNS Views and Medulla Relay in the DMZ

Filter machine types by GLPI ID

GLPI Access for Medulla

Disable convergence for the Extract drivers package

Configuration Guide: OIDC Authentication and User Synchronization

Activation Support / WSUS / CVE / Shop

Rename the FQDN and Switch to HTTPS on Medulla

Changing the SSH Port Between Server and Workstation

GLPI - Connecting an External GLPI

SUPPORT - Access

Installing Medulla on an OVH Virtual Private Server (VPS)

Client Workstations (Status & Visibility)

Packages

Remote Maintenance & Getting Started

Set the agent to Debug mode

Windows Agent Issue

Introduction

The ACLs

The ACLs (continued)

Console & Administration

Increase the Web session timeout (MMC / XMLRPC)

Retrieve the root password for the Medulla interface

Deployment (broadcasting)

Packages

Updates (Windows Updates)

Imaging menus

Client Workstations (Status & Visibility)

GPO

Reconfigure My Agent

Generate Windows and Linux agents

Linux MINT Distribution Agents

Uninstalling a Medulla Agent (Versions earlier than 5.5.2)

Uninstalling a Medulla Agent (Version 5.5.2 and later)

How do I force a reconfiguration of Medulla agents?

Duplicate MAC Addresses

Check the connection from the agent to the server

WithSecure alerts regarding PAExec used by Medulla

Architecture and Deployment of Medulla Relay Servers

Procedure for Adding Relays to Dedicated Medulla SaaS

Medulla Update - 5.4.x to 5.5.x

Services

Imaging Prerequisites

Imaging - Davos Debug

Imaging - Debug

Where are Medulla imaging masters stored?

About the Masters

An unknown machine does not appear in Medulla or GLPI after Register PXE

Copying Imaging Profiles

How the WSUS Tool Works

Module Update (WSUS) is unavailable after enabling AES protection for update catalogs

GPO

Deployment of the Medulla Agent via GPO

What is the best method for the deployment of the Medulla agent on all workstations in an Active Directory domain?

How do you set up this method?

Step 1: Prepare the installation file

Step 2: Create the GPO

Step 3: Configure the scheduled task

Step 4: Apply the GPO

Why not use a startup or logon script?

What does the "Apply once and do not reapply" option do?

How do you verify that the deployment was successful?

On a workstation:

On the domain controller:

Can I use this method to update the agent?

What are the prerequisites?

How long does it take for all workstations to be deployed?

Run the installation after logging in

Solution 1: The "At logon" Scheduled Task

Solution 2: The "Asynchronous" option

Additional Resources