Deploying Microsoft Teams using a Group Policy cover image

Deploying Microsoft Teams using a Group Policy

May 13, 2020

administration

Today I'll show you how to immediately deploy Microsoft Teams to all of your domain users.

This method will require users to either log out or lock their computer, then log back in for the installation to start in the background.

For this, we will not use the Teams Machine Wide installer. The Teams Machine Wide installer only automatically installs Teams on new user profiles. This means that users who have already logged into their computer once before will not receive teams.

We want to deploy Teams immediately to our users, and to do this, we will use the regular executable a user would download via Microsoft's website.

Here is the installation process we are going for:

  • A user logs into a domain computer
  • A logon batch script detects if teams is already installed
  • If teams is not installed, execute the installer silently
  • Once the installer finishes, a shortcut is automatically created on their desktop

Getting Started

  1. Download the Microsoft Teams executable [Link to Download]
  2. Setup your file share
  3. Ceate the Logon batch script
  4. Create the Group Policy
  5. Testing Logging In

1. Download Microsoft Teams

Download the standard Microsoft Teams executable from Microsoft.

Then, rename it to teams_windows_x64.exe (teams_windows_x86.exe if using the 32-bit installer).

This is only for simplicity sake, but feel free to name it whatever you like.

2. Setup your file share

Now that we have the Microsoft Teams installer, we need to be able to place it in a file share that all of our domain users have access to.

In this example, we have created a new folder named Share on our Domain Controller C:\ drive, and have assigned "Authenticated Users" to have Read & Execute, List folder contents and Read permissions:

Then, right click the folder, click "Properties", click the "Sharing" tab, click "Advanced Sharing", check box "Share this folder":

Then, click "Permissions" and assign "Everyone" to have Read access and click "OK":

3. Ceate the Logon batch script

Create a new teams_deploy.bat file, and paste in the following contents:

Replace SERVER with your server name of course.

IF NOT EXIST "%localappdata%\Microsoft\Teams\Update.exe" (
    "\\SERVER\Share\teams_windows_x64.exe" -s
)

The above script first checks if the Update.exe executable already exists in the users AppData\Local\Microsoft\Teams directory prior to executing the installer silently for the following reasons:

  • If the user already has teams installed on their computer, the Update.exe file will exist, so we will not attempt the installation again

  • If the user has uninstalled teams on their computer via the control panel, the Update.exe file will remain (until it is manually deleted)

This ensures that we don't keep reinstalling teams for users who have chose to uninstall it.

Now that we have created the teams_deploy.bat file and have the teams_windows_x64.exe file, transfer both files into your C:\Share folder on your domain controller / file server.

4. Create the Group Policy

To execute our teams_deploy.bat script, we will create a new User Configuration Group Policy.

Open up the Group Policy Management app on your domain controller, and link a new group policy to an Organizational Unit where your users are contained in.

  1. On the left hand tree menu, expand User Configuraton
  2. Expand Policies
  3. Expand Windows Settings
  4. Click Scripts (Logon/Logoff)
  5. In the right pane, double click Logon
  6. In the Logon Properties window, click Add
  7. In the Script Name field, type \\SERVER\\Share\teams_deploy.bat
  8. Click OK and then OK again on the Logon Properties window

Your group policy should look like this:

5. Test Logging In

On a domain joined computer, log in, open a new command prompt (not as administrator), and run:

gpupdate /force

Then, log out, and log back in. After about 3-4 minutes, you should see the Microsoft Teams desktop icon automatically be created.

Tips

  • After logging into a computer that has received your new group policy, you can open up the task manager and see the installation taking place in the background.

  • To test this GPO before deploying it to all users, you can simply drop your own domain test user account into it's own organization unit and link the GPO there.

  • If your users are connecting remotely to your domain using a VPN like Cisco AnyConnect, this GPO can still be executed if the user locks their computer and then logs back in with the VPN connection still active. The presumes that the user has recieved the new GPO however, which may take a couple hours of them being connected to the VPN prior.