Problem: Software that was installed via Group Policy needs to be removed or upgraded and the original policy responsible for deploying said software no longer exists. Furthermore, attempting to remove the software manually via Programs and Features while logged into an account with Administrative privileges results in error messages similar (or identical) to this one:
Solution: We need to create a brand new GPO for software removal. Before we do, here’s a quick outline of what needs to be done:
- Locate the original MSI package and copy it to an accessible network location.
- Create a new unlinked GPO
- Use the new GPO to re-deploy the package (or packages — it is possible to remove multiple packages with the same policy.) Make sure that “Uninstall the applications when they fall out of the scope of management.” is checked on either the package, or the entire policy (or both.)
- Use security filtering to target the objects that need to have the software uninstalled. Make sure you read this post first, it might save you a bunch of time and frustration.
- Allow enough time to pass for Group Policy to refresh. Alternatively, force a refresh via reboots and/or gpupdate /force
- Remove the machines targeted in step #3 from Security Filtering.
- Repeat step #5
Let’s get to it then…
Step #1: Locate the original MSI package — read this post — and copy it to an accessible network location.
Step #2: Create a new unlinked GPO.
Step #3: Use the new GPO to re-deploy the package or packages — it is possible to remove multiple packages with the same policy. Make sure that “Uninstall the applications when they fall out of the scope of management.” is checked on either the package, policy, or both.
Close the Group Policy Management Editor when you are done configuring your policy
Step #4: Use security filtering to target the objects that need to have the software uninstalled. Make sure you read this post first, it might save you a bunch of time and frustration.
In the next few steps, I’m going to use Security Filtering to target only the machine that needs this policy. In the examples that follow, the machine name is W7PRO64-STAGING. You could just as easily Security Filtering to filter on a Security Group containing users, computers, or both; or you could target a specific user in the same way that I’m going to target the machine in my example. Just remember that the standard rules about OUs still apply: Regardless of whether you use a Security Group or whether you target the object (user or computer) directly, the targeted object needs to exist within the same OU as the policy is linked. Also remember that if your policy is supposed to target User objects, then any settings need to be configured under User Configuration; if it targets Computer objects, then your settings need to be configured under Computer Configuration.
Step #5: Allow enough time to pass for Group Policy to refresh. Alternatively, force a refresh via reboots (at least two reboots) and/or gpupdate /force
One way to tell if the MSI deployed by your “removal policy” was actually re-deployed is by checking the the install date (… found in the “Installed On” column) in Programs and Features — it should be updated to the date that the software was re-deployed.
Some things can go wrong here:
- Group Policy might not refresh for a long time, or not at all. Try enabling the following two items on the policy (if it is being applied to a Computer). These settings need to be applied to the Computer, so you may need to create a new policy and link it to the OU containing your targeted Computer objects.
- Navigate to Computer Configuration\Policies\Administrative Templates\System\Logon and set Always wait for the network at computer startup and logon to Enabled
- Navigate to Computer Configuration\Policies\Administrative Templates\System\Group Policy and set Configure software installation policy processing to Enabled and check both Allow processing across a slow network connection and Process even if the Group Policy objects have not changed
Step #6: Remove the objects targeted in step #3 from Security Filtering and/or unlink the policy.
Do either (or both) of the following:
This will force an “out of scope” status, and the software should be uninstalled after Group Policy refreshes.