Group Policy Software Deployment OpenVPN

You will require:

OpenVPN Code signing certificate: http://anonit.blogspot.com.au/2016/03/extract-openvpn-driver-code-signing.html
OpenVPN MSI - instructions here:

http://anonit.blogspot.com/2016/03/openvpn-creating-msi-installer.html

Create the deployent share, and set permissions as appropriate: http://anonit.blogspot.com.au/2016/03/group-policy-software-deployment.html

Place the OpenVPN MSI into the deployment share.

Open GPMC.MSC



Expand the domain, and expand Group Policy Objects.  Right click and select New



Give the software deployment a name, and click OK



Right click the GPO and select Edit…



Expand Computer Configuration –> Policies –> Software Settings  Right click on
Software Installation and select New –> Package…


Navigate to the deployment share via UNC, select the MSI, and click Open.



Select Assigned and click OK.



The application is now assigned for install.



Navigate to Computer Configuration –> Windows Settings –> Security Settings –> 
Public Key Policies.  Right click Trusted Publisher and select Import…



Click Next



Click Browse



Navigate to the OpenVPN certificate and click Open



Click Next



Click Next



Click Finish



Click OK



The certificate is now ready to be pushed out via Group Policy.



Drag the Group Policy Object (EG: Install Open VPN Client) and release on the OU you wish to
deploy the software to.  (EG: Corp Computers).


The software will now be deployed to computer objects in that OU.

Group policy Software deployment permisisons

When deploying software deployment via group policy permissons must be set so that the computer account has read permission to the install files.

To check this, open Computer Management and open Shared Folders.

Right click the deployment share and select Properties



Domain computers at a minimum should have read.  In this example, I have Everyone as read.



Open Windows Explorer and navigate to the deployment folder.  Right click the deployment folder
and select Properties


On the Security tab, you can see i have added Domain Computers as Read & execute, list
folder contents, and Read.


This will allow the computer accounts to access the softwaredeployment share.

Firefox Tweaks

I'm putting this link here so I'll know where to find them again.

I'd assume that these settings may be removed on updates, so you might need to put them back in.

http://trog.qgl.org/20160305/my-firefox-tweaks/

Make sure you test though, setting:
privacy.trackingprotection.enabled to TRUE
disabled blogger from working correctly for me!

Extract OpenVPN driver code signing certificate

To extract the OpenVPN driver code signing certificate, download OpenVPN from here: https://openvpn.net/index.php/download/community-downloads.html (this article was created using version 2.3.10)

On a test machine, install as administrator.





Click Next



Click I Agree



Ensure that only TAP Virtual Ethernet Adapter is selected and click Next



Click Install



On the windows security dialog, tick Always trust software from “OpenVPN Technologies, Inc.”.
and click Install.








Once installed, click Next



Click Finish





Open the MMC



Click File and select Add/Remove Snap-in…



Select Certificates and click Add.



Select Computer Account and click Next



Select Local comptuer: (the computer this console is running on) and click Finish



Click OK



Expand Certificates (Local Computer) –> Trusted Publishers –> Certificates.

Right click the OpenVPN Technologies certificate and select All Tasks –> Export…



Click Next



Select Base64 encoded x.509 (.CER) and click Next



Click Browse, navigate to the location you wish to save the certificate and click Next



Click Finish



Click OK



The certificate is now in the location specified.

OpenVPN – Creating an MSI installer

To create an MSI installer for open VPN will require:

WIX: http://wixtoolset.org/releases/ (This was created using 3.10.2)

Open VPN installer: https://openvpn.net/index.php/download/community-downloads.html (This was created using 2.3.10)

2 x GUID: http://www.guidgen.com/

Createmsi.bat: http://pastebin.com/gbT4b2wC

Openvpn-install-2.3.10-i602-x86_64.wxs: http://pastebin.com/yTYWaT13


Download WIX from the link above.

Install by running as administrator.






















Install.























Create a folder in the root of C drive called OpenVPN.



Modify Openvpn-install-2.3.10-i602-x86_64.wxs.  Change the following:

<?define ProductVersion = "2.3.10"?>

<?define ExeSourceFile = "openvpn-install-2.3.10-I602-x86_64.exe"?> 

<?define ProductCode = "9dc4937b-e23c-42a3-a344-86b78f61f8d1"?>

<?define ProductUpgradeCode = "407cfa7d-b3fc-48a9-abfc-2088070685a7"?>

ProductVersion is the version of Open VPN to install.

ExeSourceFile is the name of the Open VPN executable file.

ProductCode is one of the GUID you generated.

ProductUpgradeCode is the 2nd GUID generated.

The wxs file name will need to be changed to reflect the exe installer name.



The GUID are used to identify the products.  The ProductCode is the ID of the version we are
installing now.  The product upgrade code will allow upgrading of previous versions to the current version.  In the example ablove, I will install a product code of 9dc4937b-xxx.  This will update
product code of 407cfa7d-xxx.  When i create the next version, I will generate a new GUID and use that for the product code, but place the 9dc4937b-xxx into the product update code.



Place CreateMSI.bat andOpenvpn-install-2.3.10-i602-x86_64.wxs into the c:\openvpn folder.





Open an administrator command prompt.



Navigate to c:\openvpn and run CreateMSI.bat.



This will create the MSI in the c:\openvpn folder.