Deploy Office 2019 via GPO

With the advent of Office 2019, Microsoft has moved away from GPO deployment via MSI. There is no MSI of Office, Visio, Project, etc available to download anymore. Microsoft is moving toward using SCCM or the Office Deployment tool. I was tasked with coming up with a method for deploying Office via GPO in a fully automated manner.

There may be more than one way to accomplish GPO deployment of Office, and I do not claim to have the best method. It took me quite a bit of research and troubleshooting to get this method to work. I hope it helps someone looking to accomplish the same thing I was.

First off, head over to Microsoft and download the Office Deployment Tool (ODT) HERE. Run the executable and extract the files to a directory.

Next, use the Microsoft tool for generating an XML file HERE. Set your preferences, in my case, it was a volume license MAK copy of Visio 2019. Export the XML file and place it in the directory where you extracted the ODT.

The XML file I used to deploy Visio 2019 using a volume license looked like this:

<Configuration ID="xxxxxxxxxxxxxxxxxxxxxxx">
<Add OfficeClientEdition="64" Channel="PerpetualVL2019" SourcePath="\\server\ODT\" AllowCdnFallback="TRUE" ForceUpgrade="TRUE">
<Product ID="VisioPro2019Volume" PIDKEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX">
<Language ID="en-us" />
<ExcludeApp ID="Groove" />
<ExcludeApp ID="OneDrive" />
</Product>
</Add>
<Property Name="SharedComputerLicensing" Value="0" />
<Property Name="PinIconsToTaskbar" Value="TRUE" />
<Property Name="SCLCacheOverride" Value="0" />
<Property Name="AUTOACTIVATE" Value="TRUE" />
<Updates Enabled="TRUE" />
<RemoveMSI />
<AppSettings>
<Setup Name="Company" Value="Company" />
</AppSettings>
<Display Level="None" AcceptEULA="TRUE" />
<Logging Level="Standard" Path="" />
</Configuration>

Notice the Display Level option. If set to FULL the installer will be visible. NONE means the install is silent.

Using an elevated command prompt under the ODT folder issue the following:

setup /download configuration.xml

Replace configuration.xml with the name of the XML exported earlier. The process will download the Office 2019 packages to a directory called “data” within the ODT folder.

Once complete, move the directory to a network share location. Set the share permissions appropriately, and make sure to edit the NTFS settings to allow domain users and domain computers read access.

Create a text file in the share directory and name it something that makes sense, in my case it was installvisio.txt. We are going to build a batch script from this file. The batch I created looks like this:

@echo off


 echo Visio 2019 Installer DO NOT CLOSE THIS WINDOW


 echo Checking for Visio Installation


 cd %SystemDrive%\users 
 dir /s completedoffice.txt 
 if not errorlevel 1 goto end


 echo Running Visio installer


 \server\ODT\Setup.exe /configure \server\ODT\configuration2.xml 


 echo Office Install Complete > %SystemDrive%\users\completedoffice.txt


 :end 
 exit

The echos were used mainly during my testing phases while creating the .bat script. The script checks a directory for a text file that the script creates after the install is completed. If the file does not exist it calls the ODT and references the XML file. Rename the text file to a .bat file.

Next we want to create GPO that will do two things:

  1. Move the .bat from the share to the local machine
  2. Create a scheduled task that runs the .bat

In the GPO under User Settings –> Preferences –> Windows Settings –> Files, create a new files policy that looks like this:

In the GPO under User Settings –> Preferences –> Control Panel Settings –> Scheduled Tasks, create a new scheduled task.

The general tab should look like this:

Make sure when setting the security options, you BROWSE for the SYSTEM account as follows:

Under the triggers tab, configure a new trigger that begins at logon under any user. It should look like this:

On the actions tab, configure a new action as follows:

No other settings need to be configured on the GPO. Under the Delegation tab of the GPO, we opted to target a specific group of people for the Visio install. To accomplish this, we removed Authenticated Users. In AD we created a new security group called wgrp-visio-install. We added this group to the delegation tab and set the permission to read. Under advanced, make sure to check “apply policy”. Domain Computers needs to be added to the delegation tab as well.

Make sure to add the users or groups that need the office product the script will install to the newly created group.

If you opted for a silent install in the XML the user never even knows anything happened. As with everything, make sure to test this deployment method before applying to a production environment.

Happy trails!

Leave a Reply