Mass Deployment via Active Directory Group Policy (GPO)

Roll out the Zeuslock browser extensions and Windows desktop agent across a domain with GPMC, ADMX templates, and Software Installation policies.

What this guide covers

This is the procedure a Windows admin runs to push Zeuslock to every domain-joined endpoint in one shot, without touching individual machines. Two artifacts get deployed: the Zeuslock browser extensions for Edge and Chrome (via ADMX-backed policies), and the Zeuslock desktop agent MSI (via Computer Configuration Software Installation). End users see nothing — the next time they log in, the extension is force-installed and the agent service is running.

Prerequisites

  • An Active Directory domain with at least one writable domain controller and a functioning SYSVOL.
  • Group Policy Management Console (GPMC) installed on your admin workstation (part of RSAT).
  • An account with Domain Admin rights, or membership in Group Policy Creator Owners plus delegated link rights on the target OU.
  • Domain-joined Windows 10 (1809+) or Windows 11 endpoints.
  • A UNC share readable by the Domain Computers group for the MSI payload.
  • An enrollment token from Settings → Deployment in the Operator Console at app.zeuslock.ai.

Always pilot first. Start with an OU containing 5-20 IT machines, validate, then expand in rings.

Part 1 — Force-install the browser extensions via ADMX

1. Import the Zeuslock ADMX bundle

Download the latest bundle on your admin workstation:

Invoke-WebRequest -Uri "https://download.zeuslock.ai/admx/latest.zip" -OutFile "$env:TEMP\zeuslock-admx.zip"
Expand-Archive "$env:TEMP\zeuslock-admx.zip" -DestinationPath "$env:TEMP\zeuslock-admx" -Force

Copy the files into the SYSVOL central store so every DC serves the same templates:

$Store = "\\domain.controller\SYSVOL\domain\Policies\PolicyDefinitions"
Copy-Item "$env:TEMP\zeuslock-admx\Zeuslock.admx" -Destination $Store -Force
Copy-Item "$env:TEMP\zeuslock-admx\en-US\Zeuslock.adml" -Destination "$Store\en-US\" -Force
Copy-Item "$env:TEMP\zeuslock-admx\fr-FR\Zeuslock.adml" -Destination "$Store\fr-FR\" -Force
Copy-Item "$env:TEMP\zeuslock-admx\es-ES\Zeuslock.adml" -Destination "$Store\es-ES\" -Force
Copy-Item "$env:TEMP\zeuslock-admx\de-DE\Zeuslock.adml" -Destination "$Store\de-DE\" -Force

Do not drop the ADMX into C:\Windows\PolicyDefinitions\ on each DC. That path is local-only and will give you mismatched templates across the domain. The central store under SYSVOL is the only correct location.

2. Create and link the GPO

  1. Open GPMC (gpmc.msc).
  2. Right-click your domain → Create a GPO in this domain, and Link it here…. Name it Zeuslock - Browser Extensions.
  3. Right-click the new GPO → Edit.
  4. Initially link it to your pilot OU (for example OU=Pilot,OU=Workstations,DC=corp,DC=local), not the root.

3. Configure force-install for Edge

  1. Navigate to Computer Configuration → Policies → Administrative Templates → Microsoft Edge → Extensions.
  2. Open Configure the list of force-installed apps and extensionsEnabled.
  3. Click Show… and add this entry exactly:
iicgcadhcgbckmpapjihechjpgcdamhd;https://clients2.google.com/service/update2/crx

4. Repeat for Google Chrome

Under Computer Configuration → Policies → Administrative Templates → Google → Google Chrome → Extensions, repeat the same steps with the same extension ID and update URL.

Verify ExtensionInstallBlocklist does not contain the Zeuslock ID or a wildcard (*). A wildcard blocklist will silently override the forcelist unless the Zeuslock ID is also explicitly allowlisted.

Part 2 — Deploy the desktop agent MSI

1. Stage the MSI on a UNC share

Copy ZeuslockAgent.msi to a share readable by Domain Computers (not just Domain Users — the install runs as SYSTEM):

$Share = "\\fileserver\Software\Zeuslock"
icacls $Share /grant "Domain Computers:(OI)(CI)RX"

2. Inject the enrollment token

The agent needs ZEUS_ENROLL_TOKEN at install time. GPO Software Installation cannot pass MSI properties directly, so use one of two approaches:

  • Recommended: generate a transform with Orca or WiX:
cscript WiRunSQL.vbs ZeuslockAgent.mst "INSERT INTO Property (Property, Value) VALUES ('ZEUS_ENROLL_TOKEN', 'zk_live_xxxxxxxxxxxx')"
  • Alternative: pre-stage the token in the registry with a GPO Registry preference before the MSI runs:
New-Item -Path "HKLM:\SOFTWARE\Zeuslock\Agent" -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Zeuslock\Agent" -Name "EnrollToken" -Value "zk_live_xxxxxxxxxxxx" -PropertyType String -Force

3. Create the Software Installation package

  1. In GPMC, edit a new GPO named Zeuslock - Desktop Agent.
  2. Go to Computer Configuration → Policies → Software Settings → Software Installation.
  3. Right-click → New → Package…. Browse using the UNC path (never a drive letter): \\fileserver\Software\Zeuslock\ZeuslockAgent.msi.
  4. Choose Assigned. If you generated a transform, switch to Advanced and add ZeuslockAgent.mst on the Modifications tab before clicking OK.
  5. Link the GPO to the same pilot OU.

4. Optional — Scheduled Task fallback

Software Installation occasionally fails on slow links or busy endpoints. Pair the GPO with a Scheduled Task that runs once at startup as SYSTEM:

msiexec /i \\fileserver\Software\Zeuslock\ZeuslockAgent.msi /qn /norestart ZEUS_ENROLL_TOKEN=zk_live_xxxxxxxxxxxx /l*v C:\Windows\Temp\zeuslock-install.log

Verification

Reboot a test machine (do not just gpupdate /force — Software Installation policies only run at boot, before the user logs in, because the MSI installs services). Then on the endpoint:

gpresult /h C:\Temp\gpreport.html
Start-Process C:\Temp\gpreport.html

In the report, confirm both Zeuslock GPOs appear under Applied GPOs and the MSI is listed in Software Installation. Then check the policy and service:

Get-Service ZeuslockAgent
# Status should be Running, StartType Automatic

Start-Process "chrome.exe" "chrome://policy"
# Look for ExtensionInstallForcelist containing iicgcadhcgbckmpapjihechjpgcdamhd

Common GPO gotchas

  • ADMX in the wrong location. Templates in C:\Windows\PolicyDefinitions\ on a single DC are invisible from other DCs and GPMC. Always use the SYSVOL central store.
  • Forgetting the reboot. gpupdate /force applies most policies, but not Software Installation. The CSE that processes MSIs only runs during the boot → pre-logon phase, because installing a service while users are logged in is unsafe.
  • MSI exit code 1603 with no token. The agent refuses to register without a token and returns 1603. Either apply the .mst transform, pre-stage the registry value, or use the Scheduled Task fallback.
  • Conflicting ExtensionInstallBlocklist. A wildcard blocklist beats a forcelist unless the Zeuslock extension ID is also added to ExtensionInstallAllowlist.
  • WMI filters too narrow. A filter scoped to Win32_OperatingSystem WHERE Version LIKE '10.0.19%' will skip Windows 11. Use Caption LIKE 'Microsoft Windows 1%' or drop the filter.

Phased rollout plan

  1. Ring 0 (Day 0): IT pilot OU — 10 to 20 endpoints. Validate ADMX application, MSI install, extension forcelist, agent service.
  2. Ring 1 (Day 7): one business unit (50 to 200 endpoints). Watch the Operator Console for unusual finding volumes and helpdesk tickets.
  3. Ring 2 (Day 14): remaining business units in batches, 7-day spacing between batches.
  4. Ring 3 (Day 21+): link the GPOs at the domain root with the pilot OU explicitly excluded via security filtering.

Once every ring is green, switch the Zeuslock policy mode from Monitor to Anonymize, and finally to Block, following the recommended 6-week cadence. See First detection walkthrough for what to expect once the agent starts firing.