Windows Domain Group Policy Objects (GPO) can be used to push out a specific version of the FortiDLP Agent. If using GPO to deploy the FortiDLP Agent, there are two important factors to consider:

1. An enrollment bundle or code must be included as part of an MST transform.
2. The FortiDLP Auto-Update mechanism (where new versions of the FortiDLP Agent are pushed directly from the FortiDLP platform) must NOT be used.

MSI transforms (MST):

To complete this process successfully, transform the installer and supply the path to an enrollment bundle or explicitly include an enrollment code so that the installer can find and use this information to enroll the agent during the initial installation.

General Method:

These instructions were written assuming a Windows Server 2012 acting as Domain Controller. For earlier versions see these instructions from Microsoft, following the 'assign software' process.

1. Create a network share to host the MSI package(s), and copy the FortiDLP Agent MSI installer to this share. It is essential that a network share (path beginning with '\\') is created, rather than a drive share (path beginning with 'C:\' or 'D:\').
2. Open 'Group Policy Management' from 'Administrative Tools' and under the domain, 'right-click' on 'Group Policy Objects', select 'New' and name the new policy object 'Install FortiDLP Agent'.
3. Open the new Policy, and configure the users/computers to install the FortiDLP Agent under 'Security Filtering'.

4. Right-click on the new policy and select 'edit' to open the Group Policy Management Editor. Under Computer Configuration -> Policies -> Software Settings -> Software installation, 'right-click' and select new -> package.

5. Select the MSI package for the FortiDLP Agent from the share created earlier, and choose 'Advanced'.
6. Open the Modifications tab and add the relevant MST modification file.
7. Return to the 'Group Policy Management' screen, 'right-click' on the domain and choose 'Link an existing GPO', choose 'Install FortiDLP Agent', and select 'OK'.
8. If deploying to machines using a language other than English, ensure that the Advanced Option 'Ignore language when deploying this package' is selected:

Upgrades:

Upgrades must NOT be pushed from the FortiDLP platform if using GPO. Doing so will conflict with the GPO-required version and result in upgrade/downgrade cycles. Upgrades should be pushed as part of the existing GPO policy with a new version of the agent MSI and any existing transform(s). For example:

Fortinet recommends keeping a copy of each MSI ever used in the same shared folder.

Troubleshooting:

In some instances, the FortiDLP Agent may fail to install using the default GPO settings listed above. In such instances, it is recommended to confirm the following settings are in use:

1. The file permissions on the MSI package allow 'Domain Computers' to Read and Execute access.
2. Enable 'Specify startup policy processing wait time' to 90 seconds, under Administrative Templates -> System -> Group Policy.
3. Enable 'Always wait for the network at computer startup and logon' under Administrative Templates -> System -> Logon.
4. These additional GPO settings can be disabled after all machines have been installed/enrolled if startup performance is reduced as a result.