Group Policy deployment

For Active Directory environments, push the MSI via Group Policy Software Installation. No custom code; the standard MSI deployment workflow applies.

Prerequisites

  • Domain controller with GPMC installed
  • An SMB share readable by domain computers (e.g. \\server\Software)
  • PermitUSB.msi placed in the share
  • An enrollment token from the dashboard

Steps

  1. Open Group Policy Management Console (gpmc.msc).
  2. Create or edit a GPO scoped to the OU containing target machines.
  3. Computer Configuration → Policies → Software Settings → Software installation.
  4. Right-click → New → Package. Browse to the MSI on the share. Choose Assigned.

Passing TENANT_TOKEN via GPO

GPO Software Installation doesn't pass MSI properties directly. Two options:

  • MST transform (recommended for production): Create a transform with orca.exe setting the Property table's TENANT_TOKEN + SERVER + optional ENDPOINT_GROUP. Attach the .mst on the Modifications tab of the package.
  • Startup script (simpler for small environments): a PowerShell startup script that runs msiexec /i \\server\Software\PermitUSB.msi /qn TENANT_TOKEN="..." on first boot.

Verification

After the next gpupdate + reboot cycle, target machines run the install at boot. Check the dashboard's Endpoints page — newly-enrolled hostnames appear within ~30 seconds of first boot.

Group Policy deployment — PermitUSB docs