This article provides sample scripts that can be used for successful deployment of Barracuda Content Shield (BCS) using GPO. The article is not intended to provide comprehensive instruction in the use of Microsoft GPO, and all samples are provided without assurances or guarantees.
An example Powershell script is provided here to demonstrate fully automating an installation. Using a command line batch file enables the administrator to remotely configure and control the Powershell script. The Group Policy Manager (GPO) is used to distribute these resources to the intended domain-attached computers. The sample script,
ConfigureBCSPlus.ps1, can be found at Example Powershell Script for GPO Deployment of BCS Suite for Windows.
Note that this script is ONLY an example and is offered without assurances or guarantees. Make sure to run the script elevated.
The domain name “dc1.myco.com” is used to represent the domain controller throughout this example. Be sure to make appropriate substitutions for your environment.
Procedure and Sample Deployment Script
Required and Example Files
- The current
BarracudaContentShieldSetup-#.#.#.#.exefile, which is available from the DOWNLOADS page of your BCS account.
bcs.keyfile, which is also available on the DOWNLOADS page (see Account Configuration File).
- The sample batch file (
installBCSPlus.bat) is included below. This .bat file must be edited to reflect the settings (file paths, operational mode, target installer .exe, file version, etc.) in your particular environment. Additionally, if you choose to use this procedure to perform future upgrades of the BCS software, this file will need to be edited to reflect the new version of the installer .exe file.
Performing upgrades also requires downloading the new installer .exe file and saving it in the shared folder (e.g. \\dc1\BCS-Files\), and the GPO Files settings also need to be modified.
Procedure for GPO Deployment
|ACTION STEPS||EXAMPLE VALUE||COMMENTS|
You may want to create a new OU to limit the scope of the machines affected by the GPO.
CAUTION: If you want to retain the option to remove this OU in the future, be sure to de-selected the default “Protect container from accidental deletion” setting before creation.
|2. Using AD, move the computers that are to be the targets of this deployment to the OU identified in Step 1 (e.g. BCSplus).|
3. Create a shared folder on the Domain Controller, and populate with the files* that need to be deployed.
Important: Folder permissions:
|4. Open Group Policy Manager and select the appropriate OU (e.g. BCSplus), and then create a GPO.||BCS Deployment||None|
5. Edit the GPO - Define Folders to be used/created on endpoint computers:
Computer Configuration > Preferences > Windows Settings > Folders
|This folder will be created and administered, on the endpoint computer(s), by this GPO|
6. Edit the GPO - Map Files to be deployed to endpoint computers:
Computer Configuration > Preferences > Windows Settings > Files
Use Action: Replace
Destination file: C:\gpo-bcs-files\installBCSPlus.bat
Repeat for all files
(See step 3 for all example resource filenames)
7. Edit the GPO - Create a Scheduled Task:
Computer Configuration > Preferences > Control Panel Settings > Scheduled TasksNew Scheduled Task (At least Windows 7)
This example uses a one-time execution.
The task needs to be run with elevated privileges in order to be able to install the software.
|8. Configure Firewall on endpoint computer(s)||If you plan to push GPO updates, you may find it necessary to enable some inbound firewall settings on the endpoint computers.|
@echo off setlocal enableextensions :: NOTES ============================================================================= :: This file is intended as an example for use when deploying the BCS Suite via GPO. :: Note, where commands are long, the use of the ^ (Shift + 6) character used to indicate line continuation. :: This file contains two samples of sets of CLI commands that will invoke the Powershell script. :: The first set of commands are used to instruct the Powershell script to install or upgrade the BCS software. :: The second set of commands are used to instruct the Powershell script to remove the BCS software. :: *** The system admin should configure this file to achieve the desired function, including all path references :: and the name of the installer.exe to be used. :: *** Additionally, in order for a "remove" to succeed, the appropriate (-userPass) password needs to be included. :: Return codes: :: 3010 - Uninstall successful. Reboot pending: On uninstall, a reboot is required before reinstalling the agent. :: 0 - Installation successful. (Also on a "remove" action, if the agent is not installed). :: 1603 - Uninstall canceled, most likely because either the Tamper Proof feature is disabled, or the wrong password was provided. :: 1602 - Install aborted. Check KEYPATH value. :: For any of the 16xx return codes, check the component MSI logs in the %temp% folder of the process owner. :: =================================================================================== :: *** Comment, or un-comment, commands as needed *** :: Write (appropriate) log entry for pending install / remove activity echo %date% %time% BCS install job started > c:\gpo-bcs-files\configureBCSPlus_result.txt :: If removing the suite, then replace 'install' with 'remove' in the above command. powershell.exe -NoProfile -executionpolicy bypass -file "c:\gpo-bcs-files\ConfigureBcsPlus.ps1" ^ -action "install" -workDir "c:\gpo-bcs-files" -setupName "BarracudaContentShieldSetup-22.214.171.124.exe" ^ -keyName "bcs.key" echo Result: %ERRORLEVEL% >> c:\gpo-bcs-files\configureBCSPlus_result.txt ::uninstall CLI commands ::powershell.exe -NoProfile -executionpolicy bypass -file ^ "c:\gpo-bcs-files\ConfigureBcsPlus.ps1" -action "remove" -workDir "c:\gpo-bcs-files" ^ -setupName "BarracudaContentShieldSetup-126.96.36.199.exe" -userPass "samplevalueonly" ::echo Result: %ERRORLEVEL% >> c:\gpo-bcs-files\configureBCSPlus_result.txt ::Write log entry to report process completion echo %date% %time% BCS job completed >> c:\gpo-bcs-files\configureBCSPlus_result.txt endlocal
Updating the Endpoint Computer GPO
When the GPO configuration is complete on the domain controller, the GPO is applied upon reboot of the target computers (sometimes this requires multiple reboots, depending on the group membership of the computer). The target computer(s) can also acquire the latest GPO changes immediately by using the gpudate command;
- On the targeted client machine: open
cmd.exe(right-click and run as admin)
- Execute gpupdate /force to force the group policy to be updated:
Computer Policy update has completed successfully.
User Policy update has completed successfully.
To display the results of the policy update, use the gpresult command;
gpresult /z /scope:computer
C:\WINDOWS\system32>gpresult /z /scope:computer
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2019 Microsoft Corporation. All rights reserved.
Created on 3/1/2020 at 5:01:22 PM
RSOP data for on WIN10-LAB-PC : Logging Mode
OS Configuration: Member Workstation
OS Version: 10.0.18362
Site Name: Default-First-Site-Name
Connected over a slow link?: No
Last time Group Policy was applied: 3/1/2020 at 3:50:16 PM
Group Policy was applied from: DC1.myco.com
Group Policy slow link threshold: 500 kbps
Domain Name: MYCO
Domain Type: Windows 2008 or later
Applied Group Policy Objects
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
(command output interrupted intentionally)
The output of this command is verbose, and tells you exactly what policy was applied. The sample GPO name is BCS Deployment, which was successfully applied to this machine.