Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.
Software Deployment Tools: SCCM vs Intune vs GPO vs More
There are many software deployment tools to deliver software and updates to your endpoints, but just because you have a lot of options doesn’t mean it has to be confusing. You might pick one software deployment tool to do it all, or you might pick several automated software deployment tools depending on your needs. No software deployment tool is a “one size fits all” solution for every company, so in this quick guide, we will help you navigate some of the most popular software deployment tools and give you our advice on which methods to use to deploy software and 3rd party patches.
Here’s the overview of what we’ll explore in this paper in Table 1.
|SCCM Software Deployment / Other On-Prem Software Deployment||Might already be installed
|3rd party application support is a costly add-on
Lots of moving parts/a lot to go wrong
|Intune Software Deployment / Other MDM Software Deployment or RMM Software Deployment Tools||Might already be in place
|3rd party application support is a costly add-on
Must re-package .EXEs into .INTUNEWIN files
No automatic update from version to version
|PolicyPak Remote Work Delivery Manager||Copies down files and software using BITS protocol
Works with SMB and Web Shares
Automatically keeps software updated
“Robocopy-like” file copy function
|No pre-packaged catalog
Reporting limited to your software deployment method (Group Policy, MDM, or PolicyPak Cloud)
|PolicyPak Scripts Manager||Good for Evergreen scripted applications||Doesn’t download using BITS protocol
No pre-packaged catalog
Reporting limited to your deployment method (Group Policy, MDM, or PolicyPak Cloud)
Software Deployment Checklist
If you’re already happy with your own software deployment tool, that’s great. But if you have no way to deploy software or have something you aren’t thrilled with, you should check out this guide. Let’s start by investigating the on-prem and cloud-based software deployment tools you might already have.
Big on-prem management software deployment tools, like MEMCM, LANDesk, KACE, SpiceWorks, Chef, BMC etc.
MEMCM, LANDesk, KACE, SpiceWorks, Chef, BMC and others are often integrated into large networks. Typically, these systems have their own engineers who do nothing but manage the systems, and they use the systems to deploy software to all the computers.
Although this organizational setup is fine, the group that runs MEMCM (or similar systems) might be different than the people who deal with the security, management, or automation of Windows 10. As such, you might find it beneficial to alternatively perform some software installations via PolicyPak Remote Work Delivery Manager.
Also, it is quite common to add on additional software to MEMCM to specifically help manage 3rd party non-Microsoft updates more easily. In Figure 1, you can see where MEMCM has the ability to connect 3rd party paid catalogs.
If you don’t have anything like this already purchased and integrated into MEMCM, we recommend you check out the software deployment alternatives mentioned later in this paper. If you’re already a PolicyPak customer, PolicyPak Remote Work Delivery Manager might be just what you need for your ongoing software installation needs.
Big cloud management systems, like Microsoft Intune, VMware Workspace One, Citrix Endpoint Manager, and any system for MSPs that deploys software
These big, born-in-the-cloud systems are trying to take over where the big on-prem systems leave off. Indeed, you can now join on-prem MEMCM with in-cloud Intune to deploy software.
With that being said, even systems like Intune have a bunch of limitations. First, it doesn’t have any easy way to deploy the .MSI of an application and then automatically keep it updated. Instead, you would have to introduce the next version each time you update and patch.
However, even more importantly, Intune doesn’t have a direct way of deploying .EXE applications (also known as Win32 applications) that perform software installations. Instead, you first need to wrap them up into something that it can handle using the Intune Win32 App Packaging & Prep Tool (found here: https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). This manual procedure wraps up your .EXE into an .INTUNEWIN file as shown in Figure 2.
Only then is the software prepped and ready for deployment with Intune. Each time you want to deploy software or deploy patches to existing software (or increase the version number), you need to do the following steps again:
- Download the new version of the application
- Package the application into a .INTUNEWIN file
- Upload the package into Intune
- Deploy the application to your Windows 10 machines
With this method, it can be a real chore to keep these machines updated with latest application patches. For instance, if you want to deploy the latest version of Firefox, you must do all the steps mentioned above to deploy to Intune as shown in Figure 3.
With that being said, an MDM system like Intune does have good reporting on results. Therefore, it could be worth using Intune to deploy your more important, but static packages. However, you might find it beneficial to alternatively perform some software installations and automatic updates via PolicyPak Remote Work Delivery Manager.
PDQ Deploy (from our friends at PDQ)
PDQ Deploy is an excellent on-prem system which enables you to deploy software and report on installation results. PDQ Deploy comes in two versions: Free and Enterprise. The Free tool is excellent, and in many cases is just enough to replace a big on-prem tool like MEMCM or LANDesk. It’s also dramatically cheaper since it comes in both a Free and a very cost-effective paid Enterprise version.
A list of the different features of the two versions can be found here: https://documentation.pdq.com/PDQDeploy/126.96.36.199/index.html?features-overview.htm
For those without a large on-prem software deployment tool, we at PolicyPak would recommend you use PDQ deploy for the following key tasks:
- Initial installation of the PolicyPak client-side extension and additional updates
- Deploying complex packages like Office, Java, or “nested” installations
- Anytime you need guaranteed reports of success or failure
- Anytime you want timed or scheduled releases
PDQ works best when machines are domain-joined and the source of your packages is on SMB (standard Windows shares). You can also use PDQ when you know the local password of the target machine (as an alternative). You can also perform software delivery thru a VPN, but you do end up utilizing VPN bandwidth as endpoints download the software over SMB.
The PQD Deploy Enterprise version comes with preconfigured advice for existing software packages. This makes for quick deployment and easy maintenance of some more tricky packages. Sometimes a vendor’s install packages aren’t as straightforward to install and deploy as expected, but the PDQ Deploy Enterprise version can take a difficult package and get it installed quickly. You can see an example of the PDQ Package Library in Figure 4.
We here at PolicyPak routinely recommend PDQ Deploy for organizations who don’t want to roll out a large software deployment tool, like MEMCM, simply to deliver software to their on-prem and VPN connected machines. PDQ Deploy is very lightweight and priced per admin, and thousands of happy admins use the tool successfully.
PolicyPak and PDQ work very nicely together in many areas. You should check out our “better together” videos here: https://www.policypak.com/integration/policypak-and-pdq.html
File and Software Delivery with PolicyPak plus Script Execution
PolicyPak’s superpowers bring new features to the on-prem or cloud systems you already use. In this section, we’ll explain how PolicyPak can automate more of your software delivery and keep your Windows 10 machines updated. You can use these PolicyPak features alongside what you already have or by themselves.
PolicyPak Remote Work Delivery Manager
The goal of PolicyPak Remote Work Delivery Manager is to copy files from on-prem or web shares and install software after those files are downloaded. PolicyPak Remote Work Delivery Manager is built into all editions of PolicyPak: Group Policy Edition, MDM Edition, and Cloud Edition (see Figure 5). However, PolicyPak Remote Work Delivery Manager works in a different manner than the tools mentioned above, and it is meant for different workloads.
PolicyPak Remote Work Delivery Manager can copy any files (including .MSIs, .EXEs, and others) from either SMB (standard Windows shares) or web-based shares (like Amazon S3, Dropbox, Azure Blob storage and more), as shown in Figure 6.
One main use case for PolicyPak Remote Work Delivery Manager is to get new software deployed to non-domain-joined machines over the Internet. This is to satisfy the working from home or remote work team and is a perfect fit when PolicyPak customers use it with PolicyPak Cloud as shown in Figure 7.
When users are remote and using PolicyPak Cloud Edition or PolicyPak MDM Edition (or even on-prem or over VPN with PolicyPak Group Policy Edition), software and other files are downloaded using Windows 10’s (near magical) Background Intelligent Transfer Service (BITS) protocol. The following is taken from the BITS documentation at https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal
Because PolicyPak takes advantage of BITS, even if large downloads are interrupted, perhaps due to shutting off a desktop, closing the lid on a laptop, or changing networks from on-prem to home, then BITS will pick up where it left off. This means you can confidently download very large files and then perform some work on them after the download is completely accomplished and on the target machine.
PolicyPak Remote Work Delivery Manager can download those files either from on-prem SMB shares (over Ethernet, Wi-Fi, or VPN) or from web shares (Amazon S3, Dropbox or Azure Blob storage). PolicyPak Remote Work Delivery Manager will originate the download from that source point and typically side-step any use of VPN bandwidth. Therefore, it is ideal for work-from-home and other remote work scenarios where you cannot guarantee VPN connections, and when you don’t want to use VPN bandwidth to download the software.
For a quick overview video of PolicyPak Remote Work Delivery Manager with on-prem shares, see: https://kb.policypak.com/kb/article/962-install-software-with-smb-standard-share/.
For a quick overview video of PolicyPak Remote Work Delivery Manager using web shares, see: https://kb.policypak.com/kb/article/963-install-software-using-web-based-shares/.
For a quick overview video of PolicyPak Remote Work Delivery Manager with PolicyPak Cloud, see: https://kb.policypak.com/kb/article/964-deploy-software-with-policypak-cloud/.
PolicyPak Remote Work Delivery Manager isn’t meant to necessarily replace software like MEMCM, Intune, or PDQ deploy in every circumstance. But if you have modest needs to deploy software and keep it automatically updated, then PolicyPak Remote Work Delivery Manager can provide this for many circumstances using SMB or web-based shares.
For instance, to deploy 7Zip the first time, point your source to whatever version you want to get started with. In this case, I’ve renamed 7Zip version 16 installer to 7z.msi as shown in Figure 8.
Then, 7Zip 16 installs on the endpoints as expected as seen in Figure 9.
Then, to perform an update and patch of 7Zip 16 to 19 on the underlying share, replace the underlying 7z.msi with the latest version (17, 18, 19, etc.). PolicyPak will automatically reach out to the source, see that a new version is present, pull down the updated patch, and automatically update. No additional time is needed and nothing needs to be re-deployed to any console. With the steps performed in PolicyPak Remote Work Delivery Manager, the updates now magically occur. The final result after exchanging 7z.msi version 16 for 19 is shown in Figure 10.
You can see a demonstration of the PolicyPak Remote Work Delivery Manager automatic updating procedure here: https://kb.policypak.com/kb/article/967-automatic-patching-and-updates/.
Besides copying down files and running a process to install them, PolicyPak Remote Work Delivery Manager also solves a few other challenges that the other software in this paper doesn’t attempt to solve. For example, PolicyPak Remote Work Delivery Manager has a special function which is a lot like the popular Windows 10 tool, Robocopy. That is, it gives you the ability to specify the following: the source and which files to copy, the directory depth (including recursive directories), and a myriad of filters (size, date, last modified, etc.) None of the other tools we’ve mentioned above are attempting to take this on.
PolicyPak Remote Work Delivery Manager also enables the admin to specify an archive file (a .ZIP file). That .ZIP file can be automatically downloaded and unpacked for the end user. If the source .ZIP file contents are updated, PolicyPak Remote Work Delivery Manager keeps the destination files automatically updated; no additional policies or interaction are required.
You can see PolicyPak’s “Robocopy-like” function here: https://kb.policypak.com/kb/article/966-mass-copy-folders-and-files-with-filters-and-recursion/.
You can see PolicyPak’s file .ZIP/archive management function here: https://kb.policypak.com/kb/article/965-copy-files-and-keep-them-up-to-date-with-your-mdm-service/.
PolicyPak Remote Work Delivery Manager is the most effective way for PolicyPak customers to deploy files and software once and keep them updated on Windows 10 machines on and off the corporate network.
PolicyPak Scripts Manager
PolicyPak Scripts Manager is another way to use PolicyPak to deploy software. PolicyPak Scripts Manager will run a script of your choice. That script could be something that copies files or downloads something from an arbitrary source. Then after the files are copied, you can run an install process or script, which is similar to how PolicyPak Remote Work Delivery Manager can run an install process or script after a download job completes.
You can see how we do this (in detail) in our KB at https://kb.policypak.com/kb/article/839-03-how-to-silently-install-firefox-esr-chrome-and-winzip-14-5-using-policypak-scripts-manager/ or (in brief) in Figure 11.
With that being said, PolicyPak Scripts Manager doesn’t have the built-in abilities of PolicyPak Remote Work Delivery Manager. PolicyPak Scripts Manager doesn’t use BITS for intelligent transfer of large files, nor does it have the complex filters or the ability to perform complex, recursive, filtered, “Robocopy-like” operations.
But PolicyPak Scripts Manager might be just the ticket if you want to run a script that will install software from a distribution source that is already on the Internet. One of our favorite ways to use PolicyPak Scripts Manager is to script the installation of pre-created packages from Chocolaty.org. Another way to use PolicyPak Scripts Manager to deploy software is via Evergreen scripts which point directly to the software vendor’s source and perform the installation directly. This is good for short downloads, but may not be ideal when the installer is large, or the computer is at risk for stopping and re-starting the transfer. (That’s where PolicyPak Remote Work Delivery Manager can help because it uses the BITS protocol.)
You can see a video on how to use PolicyPak Scripts Manager to deploy packages from Chocolaty.org here: https://kb.policypak.com/kb/article/953-policypak-scripts-automate-software-deployments-with-pp-scripts-and-chocolaty-org/
You can see a video on how to use PolicyPak Scripts Manager to deploy scripted Evergreen packages here: https://kb.policypak.com/kb/article/901-policypak-scripts-deploy-software-via-vpn-or-with-policypak-cloud/
Reporting on Software Delivery
PolicyPak Remote Work Delivery Manager and PolicyPak Scripts Manager connect with the reporting engine you already use to determine if your settings have been realized.
- For PolicyPak Group Policy Edition, you can use either the Group Policy Management Console’s Group Policy Results Reports or PolicyPak’s (free) PolicyPak Group Policy Compliance Reporter.
- For the PolicyPak MDM Edition, you can leverage your MDM’s reports.
- For the PolicyPak Cloud Edition, you can leverage the PolicyPak Cloud reporting system.
With that being said, any of these reports can only tell you if the policy to deliver the software (or keep it updated) was processed. The reporting system cannot know the actual installation status (success or failure) of any specific software. If deep reporting with returned result codes is a concern for you, then you might require the other tools on this list, like PDQ Deploy.
There’s no one tool that can handle all the software deployment needs of all companies. In this overview we wanted to share where each tool can be used, so no software is left undeployed and all needs are met. PolicyPak Scripts Manager and PolicyPak Remote Work Delivery Manager come with all editions of PolicyPak. We think you’ll be able to use them for much of your software deployment needs or augment what you already have.