BESRemove.exe Tool with Group Policy

1

In our environment we had an issue where external clients had some registry information changed, and they will all require a manual re-installation to connect through our external relays. The change requires the BESRemove.exe tool to handle the clean uninstallation before we re-install the BES Client with Group Policy. Since the BESRemove tool exclusively has an .exe version, and not an .msi, we cannot execute it through GP. Has anyone encountered a way to remotely deploy and run the remover tool with group policy? If not, does anyone recommend an .exe to msi builder tool that would work in this situation?

2

You can try and test the MSIX Packaging Tool from Microsoft:
:link: MSIX Packaging Tool

However, rather than performing a complete removal, you may consider an alternative approach:

  • If the issue is related to specific client settings, you could remove or update the required client settings via a script rather than uninstalling the entire client.
  • If the BES Client is installed but belongs to a different environment, you can simply replace the masthead.afxm file instead of reinstalling. The BESClient will automatically reset and start as a fresh agent.

Note: After resetting the client, make sure to reapply the necessary client settings, as they will not be preserved post-reset.

3

Subject: Deploying Software via Group Policy (Local Testing & QA)

Purpose: This document outlines the process for deploying software using Group Policy, including local testing and QA deployment.

I. Local Testing (Verification):

  1. Create a Deployment Folder:
  • Create a new folder on your local machine.
  • Place the following files inside this folder:
    • Setup.exe (or the installation executable)
    • Masthead (if required)
    • Clientsettings.cfg (if required)
    • BESRemove.exe (if required)
    • YourScript.bat (a batch script containing the installation/upgrade/removal logic)
  1. Create the Batch Script (YourScript.bat):
  • Within the deployment folder, create a batch script (YourScript.bat).
  • This script should contain all the necessary commands to install, upgrade, or remove the software.
  • Ensure that the script is written to function correctly when executed under the SYSTEM account.
  1. Test the Batch Script as SYSTEM:
  • Use a tool like psexec (from Sysinternals Suite) or the Task Scheduler to run the batch script as the SYSTEM account.
  • Verify that the installation/upgrade/removal process completes successfully without errors.
  • Example using psexec: psexec -s -i cmd.exe then navigate to your script and run it.

II. QA Deployment via Group Policy:

  1. Create a Group Policy Object (GPO):
  • Open the Group Policy Management Console.
  • Create a new GPO and link it to the appropriate Organizational Unit (OU) containing the test machine.
  • Limit the GPO to only the test machine.
  1. Copy Deployment Folder via Startup Script:
  • In the GPO, navigate to: Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) > Startup.
  • Click “Show Files…” to open the GPO’s Startup script folder.
  • Copy the entire deployment folder (created in step I.1) into this folder.
  • Note the full path to the folder within the GPO folder.
  1. Create a Scheduled Task:
  • In the same GPO, navigate to: Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks.
  • Create a new Scheduled Task.
  • General Tab:
    • Name: (e.g., “Software Deployment”)
    • Run as: SYSTEM
    • Configure for: (Choose the appropriate Windows version)
  • Triggers Tab:
    • Configure the desired trigger (e.g., At system startup).
  • Actions Tab:
    • Action: Start a program
    • Program/script: cmd.exe
    • Add arguments: /c “path\YourScript.bat” (Replace path with the full path to YourScript.bat within the GPO’s Startup folder).
    • Start in: path (Replace path with full path to the folder within the GPO folder)
  • Settings Tab:
    • Ensure that the task is configured to run whether the user is logged on or not.
  1. Test the Deployment:
  • Force a Group Policy update on the test machine (gpupdate /force).
  • Restart the test machine.
  • Verify that the software is installed correctly.
  • Check the event viewer for any errors.
2 Likes
4

Great notes!

I’d be concerned about the original ask of ‘deploying BESRemove via GPO’ by itself. Since BESRemove doesn’t ‘remain installed’, there’s a danger of having BESRemove execute every time the client restarts and reapplies GPO.