We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Content Shield

How to Deploy the Barracuda Content Shield Suite via GPO

  • Last updated on

This article provides sample scripts that can be used for successful deployment of Barracuda Content Shield (BCS) using GPO. The article is not intended to provide comprehensive instruction in the use of Microsoft GPO, and all samples are provided without assurances or guarantees.

An example Powershell script is provided here to demonstrate fully automating an installation. Using a command line batch file enables the administrator to remotely configure and control the Powershell script. The Group Policy Manager (GPO) is used to distribute these resources to the intended domain-attached computers. The sample script, ConfigureBCSPlus.ps1,  can be found at Example Powershell Script for GPO Deployment of BCS Suite for Windows

Note that this script is ONLY an example and is offered without assurances or guarantees. Make sure to run the script elevated.

The domain name “dc1.myco.com” is used to represent the domain controller throughout this example. Be sure to make appropriate substitutions for your environment.

Procedure and Sample Deployment Script

Required and Example Files
  • The current BarracudaContentShieldSetup-#.#.#.#.exe file, which is available from the DOWNLOADS page of your BCS account.
  • The bcs.key file, which is also available on the DOWNLOADS page  (see Account Configuration File).
  • The sample batch file (installBCSPlus.bat) is included below. This .bat file must be edited to reflect the settings (file paths, operational mode, target installer .exe, file version, etc.) in your particular environment. Additionally, if you choose to use this procedure to perform future upgrades of the BCS software, this file will need to be edited to reflect the new version of the installer .exe file.

Performing upgrades also requires downloading the new installer .exe file and saving it in the shared folder (e.g. \\dc1\BCS-Files\), and the GPO Files settings also need to be modified. 

Procedure for GPO Deployment

  1. Select or Create an Active Directory Organizational Unit

You may want to create a new OU to limit the scope of the machines affected by the GPO.

CAUTION: If you want to retain the option to remove this OU in the future, be sure to de-selected the default “Protect container from accidental deletion” setting before creation.

2. Using AD, move the computers that are to be the targets of this deployment to the OU identified in Step 1 (e.g. BCSplus).



3. Create a shared folder on the Domain Controller, and populate with the files* that need to be deployed.


  • BarracudaContentShieldSetup-#.#.#.#.exe
  • bcs.key
  • ConfigureBCSPlus.ps1
  • installBCSPlus.bat

Important: Folder permissions:

  • Sharing > Advanced Sharing > Permissions;
    • “Authenticated Users” need Read access
    • “Everyone” should have Full Control
  • Security;
    • “Authenticated Users” need default permissions (read & execute, list folder contents, read)
    • “Everyone” should have default permissions
4. Open Group Policy Manager and select the appropriate OU (e.g. BCSplus), and then create a GPO.BCS DeploymentNone

5. Edit the GPO - Define Folders to be used/created on endpoint computers:

Computer Configuration > Preferences > Windows Settings > Folders


This folder will be created and administered, on the endpoint computer(s), by this GPO

6. Edit the GPO - Map Files to be deployed to endpoint computers:

Computer Configuration > Preferences > Windows Settings > Files

Use Action: Replace
Source file(s): \\dc1\BCS-Files\installBCSPlus.bat

Destination file: C:\gpo-bcs-files\installBCSPlus.bat

Repeat for all files

(See step 3 for all example resource filenames)


  • Be sure to edit the Source file name to use the UNC format,
    (e.g. \\dc1\BCS-Files\installBCSPlus.bat )
  • The file Destination is the (new) target folder on the client computer(s)
  • If browsing for the source file fails, type the full path manually

7. Edit the GPO - Create a Scheduled Task:

Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks

New Scheduled Task (At least Windows 7)

BCS Manager

  • General tab
    • Run using (NT AUTHORITY)\System account
    • Run whether user is logged on or not
    • Run with highest privileges
  • Triggers tab
    • One time – 2/29/2019 at 06:00
  • Actions tab
    • Start a program
    • Program/Script = C:\gpo-bcs-files\installBCSPlus.bat
    • Start in = C:\gpo-bcs-files
  • Conditions tab
    • Be sure Start only if the following network connection is available: Any connection is selected
  • Settings tab (defaults used)
  • Common tab (defaults used)

This example uses a one-time execution.

The task needs to be run with elevated privileges in order to be able to install the software.


8. Configure Firewall on endpoint computer(s) If you plan to push GPO updates, you may find it necessary to enable some inbound firewall settings on the endpoint computers.


@echo off
setlocal enableextensions
:: NOTES =============================================================================
:: This file is intended as an example for use when deploying the BCS Suite via GPO.
:: Note, where commands are long, the use of the ^ (Shift + 6) character used to indicate line continuation.  
:: This file contains two samples of sets of CLI commands that will invoke the Powershell script.
:: The first set of commands are used to instruct the Powershell script to install or upgrade the BCS software.
:: The second set of commands are used to instruct the Powershell script to remove the BCS software.
:: *** The system admin should configure this file to achieve the desired function, including all path references 
:: and the name of the installer.exe to be used.
:: *** Additionally, in order for a "remove" to	succeed, the appropriate (-userPass) password needs to be included.

:: Return codes:
:: 3010 - Uninstall successful. Reboot pending: On uninstall, a reboot is required before reinstalling the agent.
:: 0    - Installation successful. (Also on a "remove" action, if the agent is not installed).
:: 1603 - Uninstall canceled, most likely because either the Tamper Proof feature is disabled, or the wrong password was provided.
:: 1602 - Install aborted. Check KEYPATH value.
:: For any of the 16xx return codes, check the component MSI logs in the %temp% folder of the process owner.
:: ===================================================================================
:: *** Comment, or un-comment, commands as needed ***
:: Write (appropriate) log entry for pending install / remove activity
echo %date% %time% BCS install job started > c:\gpo-bcs-files\configureBCSPlus_result.txt
:: If removing the suite, then replace 'install' with 'remove' in the above command.
powershell.exe -NoProfile -executionpolicy bypass -file "c:\gpo-bcs-files\ConfigureBcsPlus.ps1" ^
-action "install" -workDir "c:\gpo-bcs-files" -setupName "BarracudaContentShieldSetup-" ^
-keyName "bcs.key" 
echo Result: %ERRORLEVEL% >> c:\gpo-bcs-files\configureBCSPlus_result.txt
::uninstall CLI commands
::powershell.exe -NoProfile -executionpolicy bypass -file ^
"c:\gpo-bcs-files\ConfigureBcsPlus.ps1" -action "remove" -workDir "c:\gpo-bcs-files" ^
-setupName "BarracudaContentShieldSetup-" -userPass "samplevalueonly"
::echo Result: %ERRORLEVEL% >> c:\gpo-bcs-files\configureBCSPlus_result.txt
::Write log entry to report process completion
echo %date% %time% BCS job completed >> c:\gpo-bcs-files\configureBCSPlus_result.txt

Updating the Endpoint Computer GPO

When the GPO configuration is complete on the domain controller, the GPO is applied upon reboot of the target computers (sometimes this requires multiple reboots, depending on the group membership of the computer). The target computer(s) can also acquire the latest GPO changes immediately by using the gpudate command;

  1. On the targeted client machine: open cmd.exe (right-click and run as admin)
  2. Execute gpupdate /force to force the group policy to be updated:
     C:\WINDOWS\system32>gpupdate /force
     Updating policy...
     Computer Policy update has completed successfully.
     User Policy update has completed successfully.

To display the results of the policy update, use the gpresult command;

 gpresult /z /scope:computer

C:\WINDOWS\system32>gpresult /z /scope:computer

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0

© 2019 Microsoft Corporation. All rights reserved.

Created on ‎3/‎1/‎2020 at 5:01:22 PM

RSOP data for  on WIN10-LAB-PC : Logging Mode


OS Configuration:            Member Workstation

OS Version:                  10.0.18362

Site Name:                   Default-First-Site-Name

Roaming Profile:

Local Profile:

Connected over a slow link?: No




       Last time Group Policy was applied: 3/1/2020 at 3:50:16 PM

       Group Policy was applied from:      DC1.myco.com

       Group Policy slow link threshold:   500 kbps

       Domain Name:                        MYCO

       Domain Type:                        Windows 2008 or later 


      Applied Group Policy Objects


       BCS Deployment

       Default Domain Policy

    The following GPOs were not applied because they were filtered out


       Local Group Policy

            Filtering:  Not Applied (Empty)


(command output interrupted intentionally)

The output of this command is verbose, and tells you exactly what policy was applied. The sample GPO name is BCS Deployment, which was successfully applied to this machine.


Last updated on