Deploy Wapt via GPO

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
Flo2k17
Messages: 5
Registration: August 3, 2017 - 2:59 PM

August 3, 2017 - 3:08 PM

I had the same problem as Mika, but unfortunately, the solution of directly entering the WAPT server URL doesn't work...

After a `gpresult /h gpo.html & gpo.html`, I can see on my client (Windows 7) that it hasn't been applied (unlike a GPO for changing the desktop background, for example, which works perfectly).
I admit I don't know what to do anymore; I've tested absolutely every solution available online. I liked WAPT, but without deployment via GPO, it's useless on a network of 500 workstations.

Arguments from my latest GPO (I think I've tried every possible argument combination):
waptdeploy.exe --hash=80c6ea[...] --minversion=1.3.12.15 --wait=15 --waptsetupurl="http://ip_of_my_wapt_server/wapt/waptagent.exe"
WAPT is installed on Windows Server 2016 (and Windows 2012 for testing).
If you have any ideas, :)
thank you.
High
User avatar
agauvrit
WAPT Expert
Messages: 238
Registration: Nov 17, 2016 - 10:25
Location: Nantes
Contact :
Contact agauvrit

August 3, 2017 - 4:10 PM

Good morning,

Is the waptdeploy GPO completely separate from other GPOs (not included in Default Group Policy)?

Does it work if you enter the command manually?

Example :

Code: Select all

Win+R > cmd.exe >
\\ip_serveur_activedirectory\sysvol\[...]\waptdeploy.exe --hash=68.. --wait=15
\\ip_serveur_activedirectory\sysvol\[...]\waptdeploy.exe --hash=68.. --wait=15 --waptsetupurl="http://ipwapt/wapt/waptagent.exe"
Does the wapt agent download correctly manually?

Code: Select all

Win+R > http://srvwapt/wapt/waptagent.exe
High
Flo2k17
Messages: 5
Registration: August 3, 2017 - 2:59 PM

August 4, 2017 - 09:04

Thank you for your feedback.
I just tested both proposed solutions, and they both work; the client correctly connects to the WAPT server. However, the GPO does not work. (See attached image.)

The GPO is clearly separate from the other GPOs.
Attachments
Screenshot_1.png
Screenshot_1.png (31.55 KB) Viewed 10906 times
Screenshot_4.png
Screenshot_4.png (16.3 KB) Viewed 10906 times
High
User avatar
agauvrit
WAPT Expert
Messages: 238
Registration: Nov 17, 2016 - 10:25
Location: Nantes
Contact :
Contact agauvrit

August 4, 2017 - 09:54

Okay, let's continue. Are there any antivirus programs installed on the workstations?

We've had experience with AVG and Sophos flagging waptdeploy.exe as a threat, adding it to the list of .exe files to ignore (by hash or UNC path).

Is there a software restriction strategy in place, like AppLocker or SRP?

What does the Windows Event Viewer show?
High
Flo2k17
Messages: 5
Registration: August 3, 2017 - 2:59 PM

August 4, 2017 - 10:44

We do indeed have Sophos on our machines, but after a quick look, nothing seems out of the ordinary.
Furthermore, my test environment has no antivirus (nor an internet connection, for that matter), only a local network.
After running `gpupdate /force` on the test client machine (Windows 7), I see a "Schannel" error in the Event Viewer. I admit I'm a bit overwhelmed by this amount of information (see attached file).

EDIT: gpresult report attached.
Attachments
Screenshot_6.png
Screenshot_6.png (157.19 KB) Viewed 10905 times
Screenshot_5.png
Screenshot_5.png (50.33 KB) Viewed 10906 times
High
User avatar
agauvrit
WAPT Expert
Messages: 238
Registration: Nov 17, 2016 - 10:25
Location: Nantes
Contact :
Contact agauvrit

August 4, 2017 - 11:50

The problem raised in this thread: https://community.spiceworks.com/topic/ ... nied-empty

It could be a permissions issue with the GPOs, which are probably being seen as empty because the machine can't see the policy contents.

The same applies to the global policy, by the way.
High
Flo2k17
Messages: 5
Registration: August 3, 2017 - 2:59 PM

August 4, 2017 - 12:58

So, if I understand correctly from the thread you linked, it's a problem with computer GPOs that can't be applied to a user. I therefore "duplicated" my GPO in User Configuration (see attached image).
Now, the GPO is applied to the machine, but I have to log in as administrator to trigger the WaptAgent installation. Once logged in, the installation proceeds smoothly (and the machine reappears in the Wapt inventory).

The goal, however, would be to avoid having to log in as administrator to trigger this installation, thus remaining transparent to users.
Attachments
Screenshot_7.png
Screenshot_7.png (178.75 KB) Viewed 10900 times
High
User avatar
agauvrit
WAPT Expert
Messages: 238
Registration: Nov 17, 2016 - 10:25
Location: Nantes
Contact :
Contact agauvrit

August 4, 2017 - 3:56 PM

Create an Organizational Unit (OU) and move the WAPT deployment test workstations into it.

This OU contains only computer accounts, no user accounts (which are usually in CN=Computers). Apply the Group Policy Object (GPO) to these computers.

Do not create the policy on the user side; they cannot install applications (normally, unless they are administrators of the workstation, of course). See attached

example from our managed services clients. -

Alexandre
Attachments
example_gpo_waptdeploy.png
example_gpo_waptdeploy.png (46.75 KiB) Viewed 10904 times
High
mbitos
Messages: 1
Registration: August 7, 2017 - 3:25 PM

August 7, 2017 - 3:34 PM

Hello everyone.

When I try to install the agent via GPO, I get this error message. I've tried reinstalling the agent, but it doesn't work. However, manual installation works without any problems.
Thank you all for your help.


ERROR: NO HASH provided to check waptagent.axe. Either put the sha256 hash in command line or in c:\wapt\wapupgrade\maptagent.sha256
High
User avatar
agauvrit
WAPT Expert
Messages: 238
Registration: Nov 17, 2016 - 10:25
Location: Nantes
Contact :
Contact agauvrit

August 7, 2017 - 6:06 PM

Hello,

you must specify the --hash parameter with the value available on the WAPT server webpage;

see the online documentation: https://www.wapt.fr/fr/doc/Installation ... -arguments
High
Locked

Return to "WAPT Server"


  • To go further with WAPT