Remote computers connecting to their company networks through a VPN presents a challenge for the most common GPO solutions. Many VPNs do not automatically connect at startup. Due to the way Startup scripts and GPO MSI installations policies are designed, they most likely will fail to apply for remote devices.
Here is an alternative method to use Active Directory GPOs to deploy the Automox agent for your remote users
We must distribute the file, and then the file must be installed with elevated rights. Preferably, this should be fully automated.
We will leverage Group Policy preferences to distribute a customized MSI installer to each device, and then after it is in place, we will create a scheduled task to run the installation.
Prepare Your Installer
To reduce the number of places your Automox access key is stored, we will use the following document to Embed Your Access Key into the Automox MSI. This will keep it less distributed as it will not be listed in the Group Policy, and in the event logs.
After you modify the MSI file, store it in a location that is accessible to your target devices. This requires that you store this in your SYSVOL directory or set up a network share that is accessible to your devices.
Create Your GPO
Distribute the File
- Create a new GPO, and open the Group Policy Management Editor.
- Navigate to Computer Configuration > Preferences > Windows Settings > Files
- Right click Files and select New > File
- From the General tab, update the following:
NOTE: Leave the rest of the General settings as default.
- From the Common tab, select the checkbox for Remove this item when it is no longer applied. This will clean up the msi file when the policy is no longer applied.
Schedule the Installation
1. Create a new GPO, and open the Group Policy Management Editor.
2. Navigate to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks
3. Right click Scheduled Tasks and select New > Scheduled Task (Windows 7 or later)
4. Click the General tab, update the following:
- Select the Action: Replace
- Enter a name and optional description.
- Set the user account to
- Run whether logged in or not and with the highest privileges.
5. Click the Triggers tab, start a new trigger and set the following:
- Begin the task: At task creation/modification
- Clear the checkbox Delay task for:
- Select Stop task if it runs longer than: and set to 1 hour
- Set the preferred activate time and select the checkbox
- Set to Enabled
6. Click the Actions tab and start a program with these settings:
- Add arguments:
/i "C:\Windows\Temp\Automox_Installer-1.0.29.msi" /qn
7. Click the Conditions tab.
- Select Start only if the following network connection is available: Any connection
8. Click the Settings tab and select the following:
- Stop the task if it runs longer than: 1 hour
- If the running task does not end when requested, force it to stop.
- If the task is already running, then the following rule applies: Do not start a new instance.
9. Click the Common tab and select the following:
- Remove the item when it is no longer applied.
- Item-level targeting > click Targeting
- In the Targeting Editor, click New Item > File Match.
- For Match type, select File exists
- In the Path field enter:
After these values are set, assign the GPO to your desired audience.
Note: You should periodically update this deployment to use the latest Automox Installer. An outdated MSI file will not harm existing installations, but it is best to install the latest version when possible. The latest file downloads can be found here: Download Links for the Latest Automox Installers
Alternative MSI Handling
If you prefer not to modify the MSI installer, you can use the original installer file, and replace the arguments (as described in Schedule the Installation > Step 6) with the following:
/i "C:\Windows\Temp\Automox_Installer-1.0.29.msi" ACCESSKEY=YOUR_ORGANIZATION_KEY /qn