In this article, I will guide you through the process of deploying webroot via Group Policy. This is a fairly straightforward process with only a little editing of the MSI. I am assuming you know how to download the MSI from the webroot portal. The portal changes often, so, I will leave this part out. If you are ready, throw on your group policy pins, and let’s get started.

Super Orca

The first thing you will need is the Super Orca. You can download it here, link. Once you get super orca installed, we will be able to download and set up the webroot MSI.

  1. Open Super Orca
  2. Open the Webroot MSI.
  3. Click the Property On the left (Red Block).
  4. Click GUILIC (Green Block)
  5. Enter the Key Number
  6. Click File
  7. Click Save As
  8. Save as a different name. ALWAYS KEEP THE ORIGINAL!

Shared Folder

Now you have the MSI ready. You need to place it into a shared folder location. This location has to be accessible to every computer in the company as a minimum of read-only. Make sure the share is shared! I can’t tell you how many times I made this mistake. If it’s shared, good, make sure some of the clients can reach it.

Group Policy

Now we have the MSI ready to go. It’s time for the group policy. It’s a very simple computer policy. In my experience, a lot of IT managers don’t want AVs on servers. So, this tutorial will include a wmi filter. Let’s get to it.

  1. Open Group Policy.
  2. Create a new policy and name it Workstation Webroot Deployment
  3. Right click the policy and select edit
  4. Computer > Policies > Software Settings > Software Installation
  5. Right Click and select New.
  6. Select the file for the installer.
  7. Click Ok
  8. Exit the policy

Now the WMI Filter.

  1. Double click the policy
  2. Right Click the WMI Filter (Purple Arrow)
  3. Click Add (Red Arrow)
  4. Enter: select * from win32_operatingsystem where producttype = 1
    1. The numbers mean:
      1. Workstation
      2. Domain Controller
      3. Server
  5. Click Ok
  6. Under the WMI Filter Select the WMI Object.

All that is left is linking the GPO. Now you can link it wherever you want. Most orgs have an OU just for workstations and one for servers just for this case. It doesn’t matter where you link it the WMI filter will ignore servers and only hit the workstations.

As always, if you have questions, feel free to ask. If you ever see anything that is wrong, feel free to reach out and correct me. Thank you for reading.